healthCheck.do returns 'Get Key Error: 20010' and key-manager.log shows 'ClientID and Identity doesnot match'
Originally Published: 2011-01-10
Article Number
Applies To
Issue
B) When accessing health check monitoring URL (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12') on a web browser, the following page is shown:
0 Using init config file /tmp/16875.497.test_init.cfg Using service config file config/test_svc.cfg ########################################### ############################ Retrieving key via key class ######## ########################################################## ##### bin/get_key_by_class/get_key_by_class -init_file /tmp/16875.497.test_init.cfg -svc_file config/test_svc.cfg -key_class "healthcheck_keyclass" Getting key by Key Class healthcheck_keyclass... ERROR: R_KM_KEY_get_by_class by Key Class healthcheck_keyclass returned 20010 Get Key Error: 20010 DONE: 0
C) RKM Server logs, key-manager.log, shows the following corresponding exception:
2011-01-07 09:34:27,147 ERROR TP-Processor11 com.rsa.keymanager.server.shampoo.skeleton.KeyManagerShampooErrorHandler - NO LOG MESSAGE au.net.netstorm.boost.primordial.PrimordialException: ClientID and Identity doesnot match at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.checkIdentity(DefaultClientRequestHandler.java:143) at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.getIdentityPolicy(DefaultClientRequestHandler.java:147) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.edge.java.lang.reflect.DefaultEdgeMethod.invoke(DefaultEdgeMethod.java:11) at com.rsa.shampoo.skeleton.DefaultSkeleton.downCall(DefaultSkeleton.java:72) at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:46) at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:40) at com.rsa.shampoo.skeleton.DefaultErrorSkeleton.call(DefaultErrorSkeleton.java:21) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:41) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.doCall(DefaultShampooSkeleton.java:36) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:30) at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.processRequest(DefaultRpcRequestHandler.java:28) at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.handle(DefaultRpcRequestHandler.java:22) at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.get(ShampooServlet.java:24) at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.post(ShampooServlet.java:20) at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:75) at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:55) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.auth.z.IdentityStampLayer.invoke(IdentityStampLayer.java:31) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.auth.z.PersonalityLayer.invoke(PersonalityLayer.java:53) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.call(AuthenticationServletFilter.java:71) at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:55) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at com.rsa.keymanager.server.transport.core.filter.ServerAccessibilityFilter.doFilter(ServerAccessibilityFilter.java:29) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.TransactionLayer.invoke(TransactionLayer.java:32) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:36) at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:30) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.RequestStampLayer.invoke(RequestStampLayer.java:30) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.FrozenClockLayer.invoke(FrozenClockLayer.java:33) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.ThreadLocalGlobalsLayer.invoke(ThreadLocalGlobalsLayer.java:27) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at com.rsa.keymanager.server.transport.core.filter.EntryFilter.doFilter(EntryFilter.java:27) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619)
D) Client application name (client.app_name) and id (client.app_id) in the RKM Client registration file (/opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg) used by healthCheck did not exist or could not be located on RKM Server GUI (/KMS).
Contents of test_appreg.cfg looked like the following (notice the lines in red for client.app_name and client.app_id):
client.policy_signature = L3i5XrUb5f2mxWQL2BtZlYSS7eHwRjqC3piwaapZvCRPZbvAoQmA/dCaSiZ2PpFUK8TEdGqkLYSArWGOKcoVRt10Eq6oMGO5PmTB3w3c72wj9ewBvkFk/dLtZB8H8FBLSgfR3Htk8OIrpEjkGcaRSgpN6AZigG/dVYOwISlcQG4= client.applicationpolicy = 000102030405060708091011 client.rkm_svr_public_key = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgXACydRqPnPZVO0LE/23Lsgq6FihvSfnmVHab62uVnCqmg+3VZdwC9whx+8IdtXQ0nitKjVqbHPAeFVbuEzLNzNy7boWkZZQ1iiUDrVOPVYFqfKWcehIJ1uoxRcMeNMYDp3vwPPj4KB4x8VuAONhMZP0YzpKrTPwyF5hfx5wwiwIDAQAB client.app_name = RKMDemorkm.appliance.net2010:12:22:16:10:13 client.actmgmt_enable = 0 client.registration_state = 3 client.actmgmt_poll_interval = 0 client.app_id = 05cf24e3-c01e-4676-9b73-b0e6c35e652d-559a7cba-20b7-4021-8a02-b2429e9ded80 client.policy_name = DEFAULT_POLICY
Cause
One change was made to the environment: A previous certificate used with healthCheck.do had expired and a new certificate was issued and configured with healthCheck.do (for more details, see solution RKM Appliance health check monitoring URL healthCheck.do returns 'Get Key Error: 10039').
Resolution
1. Stop Apache web server so no RKM requests (especially healthCheck.do requests) are responded to while this issue is being fixed:
service httpd stop
2. Make a backup of the existing file /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
3. Use vi to edit test_appreg.cfg:
vi /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
4. Edit test_appreg.cfg so that it has the following contents (note that client.app_name must get a unique value, updating date/time stamp is one way to do so):
client.app_name = RKMDemorkm.appliance.net2011:01:07:14:50:13 client.actmgmt_enable = 0 client.registration_state = 0 client.actmgmt_poll_interval = 0
5. Ensure that the PKCS#12 (e.g., client.p12 in the above example) is the correct one and properly configured on RKM Server GUI (/KMS)
6. Start Apache web server:
service httpd start
7. Test by accessing the health check URL in a browser (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12')
8. A successful healthCheck transaction should be reflected by:
(a) successful get key on browser,
(b) test_appreg.cfg updated with client.app_id and other parameters, and
(c) a client record created on RKM Server and viewable via Clients tab
Notes
Related Articles
How to delete or remove an Authentication Manager 8.x replica with SQL commands Number of Views Unlink the identity source if it is linked to the system error when deleting an unlinked external identity source in RSA A… Number of Views Token Policy Number of Views Checking Replication in RSA Authentication Manager 8.1 with OpenSSL Number of Views A change request to remove role access from a user tries to remove AD group (indirect access from role) which no longer ex… Number of Views
Trending Articles
RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide How to Download OTP Token Seed Files from myRSA Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU
Don't see what you're looking for?
