000038346 - After installing new server certificate into certificate store, RSA Archer services fail to start: Found multiple X.509 certificates

Document created by RSA Customer Support Employee on Jan 17, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038346
Applies ToRSA Product Set: RSA Archer
RSA Version/Condition: 6.5, 6.6, 6.7
Platform: Windows
IssueAfter installing a new certificate into the certificate store, most Archer services fail to start with an error: The service started and then stopped.

Additionally, the following error is logged for the RSA Archer Configuration Service:

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
  <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
    <EventID>0</EventID>
    <Type>3</Type>
    <SubType Name="Error">0</SubType>
    <Level>2</Level>
    <TimeCreated SystemTime="2020-01-13T15:34:36.9681801Z" />
    <Source Name="Archer.NET" />
    <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
    <Execution ProcessName="ArcherTech.Services.ConfigurationService" ProcessID="8032" ThreadID="6" />
    <AssemblyVersion>6.7.200.1021</AssemblyVersion>
    <Channel />
    <Computer>(server)</Computer>
  </System>
  <ApplicationData>
    <TraceData>
      <DataItem>
        <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
          <TraceIdentifier>Archer.NET</TraceIdentifier>
          <Description>Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'RSA Archer Configuration'. Provide a more specific find value.</Description>
          <AppDomain>ArcherTech.Services.ConfigurationService.exe</AppDomain>
          <Exception>
            <ExceptionType>System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
            <Message>Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'RSA Archer Configuration'. Provide a more specific find value.</Message>
            <Source>System.ServiceModel</Source>
            <StackTrace>   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
   at System.ServiceModel.Security.X509CertificateInitiatorServiceCredential.SetCertificate(StoreLocation storeLocation, StoreName storeName, X509FindType findType, Object findValue)
   at System.ServiceModel.Configuration.X509ClientCertificateCredentialsElement.ApplyConfiguration(X509CertificateInitiatorServiceCredential creds)
   at System.ServiceModel.Configuration.X509InitiatorCertificateServiceElement.ApplyConfiguration(X509CertificateInitiatorServiceCredential cert)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.ApplyConfiguration(ServiceCredentials behavior)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.CreateBehavior()
   at System.ServiceModel.Description.ConfigLoader.LoadBehaviors[T](ServiceModelExtensionCollectionElement`1 behaviorElement, KeyedByTypeCollection`1 behaviors, Boolean commonBehaviors)
   at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action`1 addBaseAddress, Boolean skipHost)
   at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection)
   at System.ServiceModel.ServiceHostBase.ApplyConfiguration()
   at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)
   at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
   at ArcherTech.Configuration.ServiceHostFactory.GetServiceHost(Type serviceHostType)
   at ArcherTech.Services.ConfigurationService.ConfigurationService.StartService()</StackTrace>
          </Exception>
        </TraceRecord>
      </DataItem>
    </TraceData>
  </ApplicationData>
</E2ETraceEvent>
CauseIf a certificate is installed into the certificate store that has a similar, but not necessarily identical, subject as the one that has been selected to be used by the RSA Archer Services during Archer installation, then the RSA Archer Services will fail to start.

Example:
  • Certificate #1: contains Subject value string "Digitally Signed RSA Archer Configuration Certificate"
  • Certificate #2: contains Subject value string "RSA Archer Configuration"

This will cause the services to fail to start because it will find both certificates when searching for the subject matching the certificate selected during installation and does not know which certificate to use.  By default, it searches for "RSA Archer Configuration".
ResolutionThis defect will be fixed in a later release.
WorkaroundThe value that Archer uses to search for the certificate is specified in the RSA Archer Configuration Service configuration file:
C:\Program Files\RSA Archer\Services\ArcherTech.Services.ConfigurationService.exe.config  (out of the box location) 


Note: the findValue may be environment-specific.

Example:

<certificate findValue="RSA Archer Configuration" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />


The following PowerShell command will list the certificates in the certificate store and their subjects.

Get-ChildItem -path cert:\LocalMachine\My

Important: At this point, if you are not able to determine which certificate is being used by the Archer Services and which is the other certificate that was recently added, then contact Archer Support for assistance.
 
  1. Export / Backup the recently added certificate to a file:
    1. Open mmc.exe
    2. Add the "Certificate" component for the "Computer Account"
    3.  -> Computer Account
    4.  -> Local Computer
    5. OK
    6. Expand Certificates on the left
    7. Expand Personal on the left
    8. Expand  Certificates on the left
    9. Locate the certificate
    10. Export to a file including private keys
  2. Remove the certificate that is NOT being used by the RSA Archer Services and was also recently added to the certificate store that has a similar subject name to what the RSA Archer Services are using.
  3. Restart Archer services.
  4. Repeat 1-3 for each Archer server as applicable.

Attachments

    Outcomes