healthCheck.do returns 'Get Key Error: 20010' and key-manager.log shows 'ClientID and Identity doesnot match'

3 years ago

Originally Published: 2011-01-10

Article Number

000054182

Applies To

RSA Key Manager Appliance 2.7 SP1

Issue

A) healthCheck.do returns "Get Key Error: 20010" and key-manager.log shows "ClientID and Identity doesnot match"

B) When accessing health check monitoring URL (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12') on a web browser, the following page is shown:

0 Using init config file /tmp/16875.497.test_init.cfg Using service config file 
config/test_svc.cfg ###########################################
############################ Retrieving key via key class ########
##########################################################
##### bin/get_key_by_class/get_key_by_class -init_file /tmp/16875.497.test_init.cfg 
-svc_file config/test_svc.cfg -key_class "healthcheck_keyclass" Getting key 
by Key Class healthcheck_keyclass... ERROR: R_KM_KEY_get_by_class 
by Key Class healthcheck_keyclass returned 20010 Get Key Error: 20010 
DONE: 0

C) RKM Server logs, key-manager.log, shows the following corresponding exception:

2011-01-07 09:34:27,147 ERROR TP-Processor11 com.rsa.keymanager.server.shampoo.skeleton.KeyManagerShampooErrorHandler - NO LOG MESSAGE
au.net.netstorm.boost.primordial.PrimordialException: ClientID and Identity doesnot match
 at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.checkIdentity(DefaultClientRequestHandler.java:143)
 at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.getIdentityPolicy(DefaultClientRequestHandler.java:147)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.edge.java.lang.reflect.DefaultEdgeMethod.invoke(DefaultEdgeMethod.java:11)
 at com.rsa.shampoo.skeleton.DefaultSkeleton.downCall(DefaultSkeleton.java:72)
 at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:46)
 at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:40)
 at com.rsa.shampoo.skeleton.DefaultErrorSkeleton.call(DefaultErrorSkeleton.java:21)
 at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:41)
 at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.doCall(DefaultShampooSkeleton.java:36)
 at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:30)
 at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.processRequest(DefaultRpcRequestHandler.java:28)
 at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.handle(DefaultRpcRequestHandler.java:22)
 at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.get(ShampooServlet.java:24)
 at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.post(ShampooServlet.java:20)
 at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:75)
 at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:55)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
 at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.auth.z.IdentityStampLayer.invoke(IdentityStampLayer.java:31)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.auth.z.PersonalityLayer.invoke(PersonalityLayer.java:53)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.call(AuthenticationServletFilter.java:71)
 at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:55)
 at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58)
 at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42)
 at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
 at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25)
 at com.rsa.keymanager.server.transport.core.filter.ServerAccessibilityFilter.doFilter(ServerAccessibilityFilter.java:29)
 at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58)
 at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42)
 at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
 at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.entry.TransactionLayer.invoke(TransactionLayer.java:32)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:36)
 at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:30)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.entry.RequestStampLayer.invoke(RequestStampLayer.java:30)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.entry.FrozenClockLayer.invoke(FrozenClockLayer.java:33)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
 at com.rsa.keymanager.core.entry.ThreadLocalGlobalsLayer.invoke(ThreadLocalGlobalsLayer.java:27)
 at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
 at $Proxy7.doFilter(Unknown Source)
 at com.rsa.keymanager.server.transport.core.filter.EntryFilter.doFilter(EntryFilter.java:27)
 at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58)
 at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42)
 at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
 at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
 at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
 at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775)
 at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704)
 at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)
 at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
 at java.lang.Thread.run(Thread.java:619)

D) Client application name (client.app_name) and id (client.app_id) in the RKM Client registration file (/opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg) used by healthCheck did not exist or could not be located on RKM Server GUI (/KMS).

Contents of test_appreg.cfg looked like the following (notice the lines in red for client.app_name and client.app_id):

client.policy_signature = L3i5XrUb5f2mxWQL2BtZlYSS7eHwRjqC3piwaapZvCRPZbvAoQmA/dCaSiZ2PpFUK8TEdGqkLYSArWGOKcoVRt10Eq6oMGO5PmTB3w3c72wj9ewBvkFk/dLtZB8H8FBLSgfR3Htk8OIrpEjkGcaRSgpN6AZigG/dVYOwISlcQG4=
client.applicationpolicy = 000102030405060708091011
client.rkm_svr_public_key = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgXACydRqPnPZVO0LE/23Lsgq6FihvSfnmVHab62uVnCqmg+3VZdwC9whx+8IdtXQ0nitKjVqbHPAeFVbuEzLNzNy7boWkZZQ1iiUDrVOPVYFqfKWcehIJ1uoxRcMeNMYDp3vwPPj4KB4x8VuAONhMZP0YzpKrTPwyF5hfx5wwiwIDAQAB
client.app_name = RKMDemorkm.appliance.net2010:12:22:16:10:13
client.actmgmt_enable = 0
client.registration_state = 3
client.actmgmt_poll_interval = 0
client.app_id = 05cf24e3-c01e-4676-9b73-b0e6c35e652d-559a7cba-20b7-4021-8a02-b2429e9ded80
client.policy_name = DEFAULT_POLICY

Cause

An exact cause is not known as to why client.app_name and client.app_id listed in test_appreg.cfg did not exist on RKM Server.

One change was made to the environment: A previous certificate used with healthCheck.do had expired and a new certificate was issued and configured with healthCheck.do (for more details, see solution RKM Appliance health check monitoring URL healthCheck.do returns 'Get Key Error: 10039').

Resolution

Follow the steps listed below to reset contents of test_appreg.cfg so that RKM Client associated with healthCheck.do re-initializes it with valid client.app_name, client.app_id, and other parameters:

1. Stop Apache web server so no RKM requests (especially healthCheck.do requests) are responded to while this issue is being fixed:

service httpd stop

2. Make a backup of the existing file /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg

3. Use vi to edit test_appreg.cfg:

vi /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg

4. Edit test_appreg.cfg so that it has the following contents (note that client.app_name must get a unique value, updating date/time stamp is one way to do so):

client.app_name = RKMDemorkm.appliance.net2011:01:07:14:50:13
client.actmgmt_enable = 0
client.registration_state = 0
client.actmgmt_poll_interval = 0

5. Ensure that the PKCS#12 (e.g., client.p12 in the above example) is the correct one and properly configured on RKM Server GUI (/KMS)

6. Start Apache web server:

service httpd start

7. Test by accessing the health check URL in a browser (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12')

8. A successful healthCheck transaction should be reflected by:
    (a) successful get key on browser,
    (b) test_appreg.cfg updated with client.app_id and other parameters, and
    (c) a client record created on RKM Server and viewable via Clients tab

Notes

For additional possible scenarios when you may get error 20010, see solution RKM: Resolve Client error 20010 and Server error 'ClientID and Identity doesnot match'

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles