RSA Key Manager Server
Microsoft Windows 2003 Server SP1
Apache Tomcat 5.5.20
RKM Server
RKM Client
The RKM Server log file (e.g. C:\Program Files\Apache Software Foundation\Tomcat 5.5\logs\key-manager.log) contains the following error when trying to retrieve a key:
com.rsa.kms.key.support.KeyProviderException: Client failed to provide certificate
or in RKM Server 2.1.2:
com.rsa.keymanager.access.certificate.DefaultCertificateIdentityEstablisher - Request does not contain a certificate.
or
com.rsa.keymanager.access.framework.AuthenticationException: The identity of the request could not be established.
When trying to retrieve key, the RKM C Client API returns
ERROR: 20010
If you are using the RKM 2.11 Java Client, running a sample (e.g. CheckConfig) gives output:
[java] Attempting to contact Key Manager Server
[java] Key Manager Server IS NOT AVAILABLE
[java] Possible reasons why the sample code is unable to access the
[java] server are:
[java] - The Key Manager server has not been started
[java] - The Key Manager server Master Password has not been entered
[java] - The Key Manager server host name or IP address in the
[java] configuration file is incorrect
[java] - The Key Manager server port number in the configuration file is
[java] incorrect
[java] - The Key Manager server certificate as configured at the client
[java] is not the correct certificate
[java] - An identity matching the client certificate has not been
[java] configured on the server
[java] - RSA Access Manager has not been correctly configured
[java] - The Web Server has not been correctly configured
RKM Java Client 1.5.x shows "Access Denied" message, e.g.
com.rsa.kmclient.KMSException: Unable to perfrom decryption : error : Unable to get a vaild key from KMS Server: Unable to get key from KMS Server : KMS Response error : KMSError from KMS Server : error : Access Denied
If you are using IIS 6:
Open IIS Manager. Under Web Sites, right-click Properties on your Default Web Site.
Click on the "Directory Security" tab -> Edit Secure Communications -> Select "Accept Client Certificate".
Click OK to close.
IIS 7:
1. Start IIS Manager (Server Manager > Roles > Web Server (IIS) > Internet Information Services)
2. Click on the Web Site
3. Double-click on SSL Settings
4. Under Client certificates, make sure that "Accept" or "Require" is selected
If you are using Apache:
Edit your httpd.conf (or httpd.d/ssl.conf), and look for SSLVerifyClient. Set it to the following:
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
Related Articles
Provide an Offline Emergency Passcode Number of Views Require the Security Console and Self-Service Console to Provide the Same Response for Valid and Invalid Usernames Number of Views Provide an Offline Emergency Access Tokencode Number of Views Access Denied error without an opportunity to provide login credentials when accessing Key Manager console Number of Views Why am I being asked to provide an On-Demand Authentication (ODA) PIN when logging in to the RSA Community? Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle RSA Authenticator 6.2.2 for Windows Administrator Guide RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
