Title	Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle

URL Name	Multiple-Remote-AFX-Server-Failures-caused-by-Issuer-key-identifier-for-the-subject-and-the-Subject-key-identifier-for-the-issuer-must-be-the-same-after-upgrading-to-version-7-2-0-of-RSA-Identity-Governance-Lifecycle

Summary	Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle

Validation Status	Work in Progress

Age	1,360.82

Translate To

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0

Issue

Multiple Remote AFX Server failures may occur after upgrading to RSA Identity Governance & Lifecycle 7.2.0.

SYMPTOMS:

Remote AFX Servers go into a Not Running state in the user interface (AFX > Servers).
Download Server Archive for Remote AFX Servers fails to download (AFX > Servers > {AFX Server name} > Download Server Archive). The AFX tab may become inaccessible after such an attempt.
When attempting to create a remote AFX Server (AFX > Servers > Create Server), the Server definition cannot be saved and the remote AFX Server cannot be created.

Clicking OK to save the definition results in the following error:

Unable to save Server

In all these cases, the common denominator is the following error logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):

03/27/2019 05:36:48.196 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.197 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.200 ERROR (default task-38) [com.aveksa.afx.server.service.AFXServerAgentServiceProvider]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.205 ERROR (default task-38) [com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData]
com.aveksa.server.db.PersistenceException:
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
at com.aveksa.afx.server.service.AFXServerAgentServiceProvider.createServerAgent(AFXServerAgentServiceProvider.java:185)
at com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData.handleSubmit(BaseEditServerAgentPageData.java:101)
at com.aveksa.afx.ui.pages.agent.edit.CreateServerAgentPageData.handleSubmit(CreateServerAgentPageData.java:30)
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:605)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:186)
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:130)
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:428)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:62)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)

Cause

Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. See RSA Knowledge Base Article 000039236 -- Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle for more information.

This issue occurs after an RSA Identity Governance & Lifecycle upgrade to version 7.2.0 from a previous version and the server and client certificates have not been regenerated.

Resolution

Regenerate the server and client certificates as instructed in RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.

Workaround

Notes

Legacy Article ID 000039237

Audience	External

Article Source	Manual

Original Article Author	Diane McCoy

Original Created Date	8/14/2020 11:15 PM

Owner	Diane McCoy

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Publication Status	Published

Article Type	Knowledge

Article Number	000043843

Created By	Diane McCoy

Last Modified By	Admin9 Integration (AWS)

Language	English

Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle