Unable to Authenticate to vCenter – "Signature Certificate Verification Failed: Signature Does Not Match"
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.x
Platform: VMware vCenter
Issue
Users were unable to log in to vCenter using RSA authentication. The error displayed was "invalid credentials", and no authentication requests were reaching the RSA Authentication Manager authentication monitor.
Cause
- The vCenter SSO logs (/var/log/vmware/sso) showed multiple errors indicating that the certificate validation has failed. Due to the failed validation, the system is unable to process configuration updates correctly. This is evident from the logs stating, "ConfigurationResponse(Init) - Response validation & verification failed." As a result, any attempts to update configurations are met with errors.
-
[2024-12-17 12:02:23,623] FATAL tomcat-http--47 - {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation failed Signature does not match. [2024-12-17 12:02:23,623] FATAL tomcat-http--47 - {validateConfigResponse} ConfigResponse signing cert validation and verification failed: com.rsa.authagent.authapi.AuthAgentException: Signature Certificate Verification Failed:Signature does not match. [2024-12-17 12:02:23,623] FATAL tomcat-http--47 - {handleConfigUpdate} ConfigurationResponse(Init) - Response validation & verification failed [2024-12-17 12:02:23,623] ERROR tomcat-http--47 - Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed! [2024-12-17 12:23:31,525] FATAL tomcat-http--29 - RSA Authentication API for Java v8.6.0.0.0[75] started [2024-12-17 12:23:31,525] INFO tomcat-http--29 - sdopts.rec doesn't exist [2024-12-17 12:23:31,525] INFO tomcat-http--29 - securid doesn't exist [2024-12-17 12:23:31,527] INFO tomcat-http--29 - {AuthSessionFactory} Initializing Configuration data [2024-12-17 12:23:31,528] INFO tomcat-http--29 - {AgentConfigHandler::processLoadBalancingSettings}Dynamic Load balancing chosen [2024-12-17 12:23:31,528] INFO tomcat-http--29 - {AgentConfigHandler.enumerateServerList} Resolving host: xxxx.xxx.domain.com [2024-12-17 12:23:31,529] INFO tomcat-http--29 - {AgentConfigHandler.enumerateServerList} adding address: 10.xx.xx.xx [2024-12-17 12:23:31,529] INFO tomcat-http--29 - {AgentConfigHandler::processLoadBalancingSettings}Enumerating Avoid hostnames list [2024-12-17 12:23:31,529] INFO tomcat-http--29 - {setServerLoadBalanceInfo} dynamic (response time based) load balancer selected [2024-12-17 12:23:31,529] INFO tomcat-http--29 - {AgentConfigHandler.initializeConfig} using client-configured connect timeout: 60 [2024-12-17 12:23:31,529] INFO tomcat-http--29 - {AgentConfigHandler.initializeConfig} using client-configured read timeout: 60 [2024-12-17 12:23:31,529] INFO tomcat-http--29 - Updating the retry count to totalServers-1 [2024-12-17 12:23:31,529] INFO tomcat-http--29 - MaxRetry: 0 Total Servers: 1 [2024-12-17 12:23:31,624] INFO tomcat-http--29 - {handleConfigInit} Config init resp: <cfg:ConfigurationResponse xmlns:cfg="http://www.rsa.com/schemas/2008/05/CommonAPI/configuration" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:stat="http://www.rsa.com/schemas/2008/05/CommonAPI/status" xmlns:xenc10="http://www.w3.org/2001/04/xmlenc#"> <stat:Status Status="SUCCESS"/> [2024-12-17 12:23:31,627] FATAL tomcat-http--29 - {validateSignCertwithRootCert} ConfigResponse Signing Cert Validation failed Signature does not match. [2024-12-17 12:23:31,627] FATAL tomcat-http--29 - {validateConfigResponse} ConfigResponse signing cert validation and verification failed: com.rsa.authagent.authapi.AuthAgentException: Signature Certificate Verification Failed:Signature does not match. [2024-12-17 12:23:31,627] FATAL tomcat-http--29 - {handleConfigUpdate} ConfigurationResponse(Init) - Response validation & verification failed [2024-12-17 12:23:31,627] ERROR tomcat-http--29 - Exception processing configuration data Exception processing configuration data Invalid config response from the server: Response validation & verification failed! -
2024-12-17T12:23:31.627Z INFO websso[65:tomcat-http--29] [CorId=2842c422-2601-4748-bb50-e3be1d0c5036] [com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [username@vsphere.local] in tenant [vsphere.local] in [106] milliseconds with rsa secureID 2024-12-17T12:23:31.627Z ERROR websso[65:tomcat-http--29] [CorId=2842c422-2601-4748-bb50-e3be1d0c5036] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed to create AuthSessionFactory instance with /etc/vmware-sso/vsphere.local/rsa_api.properties' com.vmware.identity.idm.IDMException: Failed to create AuthSessionFactory instance with /etc/vmware-sso/vsphere.local/rsa_api.properties at com.vmware.identity.idm.server.AuthSessionFactoryCache.getAuthnFactory(AuthSessionFactoryCache.java:72) ~[libvmware-identity-idm-server.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticateRsaSecurId(IdentityManager.java:3561) ~[libvmware-identity-idm-server.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticateRsaSecurId(IdentityManager.java:10606) [libvmware-identity-idm-server.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticateRsaSecurId(CasIdmClient.java:1379) [libvmware-identity-idm-client.jar:?] at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticatebyPasscode(CasIdmAccessor.java:494) [libwebsso.jar:?]
-
- The logs also indicate that user authentication has failed due to these certificate issues. as it's showing that authentication for the user username@vsphere.local failed, highlighting that RSA SecureID could not authenticate the user due to the validation failure.
- Upon reviewing the sdconf, we noticed that it wasn't displaying the correct RSA AM root certificate, even though a new one was generated recently.
Resolution
- Download the AM root certificate and save it in.cer format.
- In the RSA Authentication Manager Security Console go to Setup > System Settings > Agents.
- Click on the link labeled To configure agents using IPV6, click here.
- In the Existing Certificate Details section click Choose File and select the just exported Authentication Manager root certificate file and then click Update.
- Now browse to Access > Authentication Agents > Generate Configuration File.
- Generate and download a new AM_Config.zip file.
- Unzip the AM_Config.zip to extract the new sdconf.rec.
- Upload the new sdconf.rec to the vCenter using winscp.
- Modify the permissions of the file,
- chmod 777 sdconf.rec
- Apply the below steps,
- cd /opt/vmware/bin
- ./sso-config.sh -t vsphere.local -set_authn_policy -securIDAuthn true
- ./sso-config.sh -set_rsa_site -t vsphere.local -agentName <Agent Name> -sdConfFile /sdconf.rec
- ./sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName ssolabs.com -ldapAttr userPrincipalName
- Confirm the configurations from the command: ./sso-config.sh -t vsphere.local -get_rsa_config
Related Articles
Unable to authenticate with Authentication Agent for PAM for SSH due to SELinux Number of Views RSA Governance & Lifecycle Advanced Dashboards Library Release Notes - Revision 2.0 Number of Views How to generate a vettor certificate from a PKCS#10 (CSR) request Number of Views Device Settings for Risk-Based Authentication Number of Views Workflow error: The work item count of XX exceeds the maximum limit of 10 in RSA RSA Via Lifecycle and Governance Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
