000038748 - Failed to process CT_KIP clientNonceRequest error when trying to import an RSA SecurID software token using CT-KIP for RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Apr 20, 2020
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000038748
Applies ToRSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
 
Issue
When end users try to import an RSA SecurID software token to their device using CT-KIP, the import fails. The end user sees the following error: 
 


Token import failed. Verify that the information entered is correct or contact your administrator.


 



The System Activity Monitor shows the following errors while trying to import the token:



Administrator “SYSTEM” attempted to execute command “com.rsa.authmgr.internal.ctkip.command.ProcessCTKIPClientRequestCommand”

<EJB exception occurred during invocation from home or business: com.rsa.command.CommandServerEjb30_vraifm_Intf generated exception: com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR

Caused by: com.rsa.common.SystemException: com.rsa.common.SystemException: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.common.SystemException:
com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort>
CauseThere is an issue with the defaultRSAToolbar certificate and key pair that was initially provided within the original license .zip file. All licenses that are stored on myRSA.com are now updated with a new certificate and key pair. These new files can be installed on RSA Authentication Manager and used for the CT-KIP deployment.
 
Resolution
  1. Download a new copy of your RSA Authentication Manager license from https://my.rsa.com/. Follow steps in 000038632 - Downloading RSA Authentication Manager license files or RSA Software token seed records.

Since all of the license files available on myRSA have been updated, it is a requirement to download the new license, even if you have an old copy of the license files stored locally.



  1. Create a Backup Using Back Up Now.
  2. Enable SSH on the primary RSA Authentication Manager server.
  3. Using WinSCP, copy the defaultRSAToolbar.cer and defaultRSAToolbar.key from the newly downloaded license to /tmp on the primary RSA Authentication Manager server.
  4. Launch an SSH client, such as PuTTY.
  5. Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.

During Quick Setup another username may have been selected. Use that username to log in.



login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am


  1. Get the database password. The password string is different for each deployment of RSA Authentication Manager.

rsaadmin@primary:> /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: u2Z8iMYLWmaT2hgdIdNUjBLFKiMnJw


  1. Capture the com.rsa.db.dba.password in the output above, then use it to access the database:

rsaadmin@primary:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password from above>


  1. Run the following SQL statement:

DELETE FROM rsa_rep.ims_config_value WHERE name LIKE '%ctkip.service.keystore%';


  1. Exit the database by typing \q, then run the following commands:

rsaadmin@primary:> cd /opt/rsa/am/utils
rsaadmin@primary:> ./rsautil install-ctkip-keystore -l /tmp -k defaultRSAToolbar.key -c defaultRSAToolbar.cer


  1. Restart the RSA Authentication Manager services:

rsaadmin@primary:> cd /opt/rsa/am/server
rsaadmin@primary:> ./rsaserv restart all

Attachments

    Outcomes