Remote Agent fails to start with 'Could not load certificate' error in RSA Identity Governance & Lifecycle
Originally Published: 2017-01-26
Article Number
Applies To
RSA Version/Condition: 6.x, 7.0.x, 7.1.x, 7.2.x
Issue
INFO [com.aveksa.server.certificates.CertificateManager]
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)
Cause
Resolution
For steps to do this, please see RSA Knowledge Base Article 000038314 -- How to update the root (server) and client certificates in RSA Identity Governance & Lifecycle.
Notes
Related Articles
Restore database script does not load the data Number of Views FIM fimconsole does not load. error 'One or more instances could not be retrieved' Number of Views Users tab slow to load in SecurID Governance & Lifecycle Number of Views AFX new or updated Connectors remain in a Deployed state and the MMC application fails to load in RSA Identity Governance … Number of Views How to call a stored procedure from the Generic Database AFX Connector in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Disabling weak ciphers using port 1813 in RSA Authentication Manager 8.3 patch 1
Don't see what you're looking for?
