Failed to process CT_KIP clientNonceRequest error when trying to import an RSA SecurID software token using CT-KIP for RSA Authentication Manager 8.x
Originally Published: 2020-04-17
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
When end users try to import an RSA SecurID software token to their device using CT-KIP, the import fails. The end user sees the following error:
Token import failed. Verify that the information entered is correct or contact your administrator.
The System Activity Monitor shows the following errors while trying to import the token:
Administrator “SYSTEM” attempted to execute command “com.rsa.authmgr.internal.ctkip.command.ProcessCTKIPClientRequestCommand”
<EJB exception occurred during invocation from home or business: com.rsa.command.CommandServerEjb30_vraifm_Intf generated exception: com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: com.rsa.common.SystemException: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.common.SystemException:
com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort>
Cause
Resolution
- Download a new copy of your RSA Authentication Manager license from https://my.rsa.com/. Follow steps in Downloading RSA Authentication Manager license files or RSA Software token seed records
Since all of the license files available on myRSA have been updated, it is a requirement to download the new license, even if you have an old copy of the license files stored locally.
- Create a Backup Using Back Up Now.
- Enable Secure Shell on the Appliance.
- Using WinSCP, copy the defaultRSAToolbar.cer and defaultRSAToolbar.key from the newly downloaded license to /tmp on the primary RSA Authentication Manager server.
- Launch an SSH client, such as PuTTY.
- Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.
During Quick Setup another username may have been selected. Use that username to log in.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Get the database password. The password string is different for each deployment of RSA Authentication Manager.
rsaadmin@primary:> /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: u2Z8iMYLWmaT2hgdIdNUjBLFKiMnJw
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: u2Z8iMYLWmaT2hgdIdNUjBLFKiMnJw
- Capture the com.rsa.db.dba.password in the output above, then use it to access the database:
rsaadmin@primary:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password from above>
Password for user rsa_dba: <enter the com.rsa.db.dba.password from above>
- Run the following SQL statement:
DELETE FROM rsa_rep.ims_config_value WHERE name LIKE '%ctkip.service.keystore%';
- Exit the database by typing \q, then run the following commands:
rsaadmin@primary:> cd /opt/rsa/am/utils
rsaadmin@primary:> ./rsautil install-ctkip-keystore -l /tmp -k defaultRSAToolbar.key -c defaultRSAToolbar.cer
rsaadmin@primary:> ./rsautil install-ctkip-keystore -l /tmp -k defaultRSAToolbar.key -c defaultRSAToolbar.cer
- Restart the RSA Authentication Manager services:
rsaadmin@primary:> cd /opt/rsa/am/server
rsaadmin@primary:> ./rsaserv restart all
rsaadmin@primary:> ./rsaserv restart all
Related Articles
Failed to generate QR Code error when trying to activate software token using QR code in RSA Authentication Manager 8.x Se… Number of Views Passcode format error when trying to set a PIN thru a Cisco ASA Number of Views Error: 'Web-tier host certificate creation failed' when trying to create a web tier package Number of Views Error: Unable to perform pre-login process when trying to login to RSA Authentication Manager 8.x Web Tier Self Service Co… Number of Views Error This replica exceeds the number of instances allowed by the license when trying to attach replica in RSA Authenticat… Number of Views
Trending Articles
RSA Authentication Manager Patch Updates RSA Authenticator for iOS and Android Administrator Guide - Mobile Lock RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows RSA Authentication Manager Upgrade Process RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
