on Aug 15, 2020Article Content
| Article Number | 000039237 |
| Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Version/Condition: 7.2.0 |
| Issue | Multiple Remote AFX Server failures may occur after upgrading to RSA Identity Governance & Lifecycle 7.2.0. SYMPTOMS:
 Clicking OK to save the definition results in the following error: Unable to save Server  In all these cases, the common denominator is the following error logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log): 03/27/2019 05:36:48.196 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager] Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same 03/27/2019 05:36:48.197 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager] Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same 03/27/2019 05:36:48.200 ERROR (default task-38) [com.aveksa.afx.server.service.AFXServerAgentServiceProvider] Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same 03/27/2019 05:36:48.205 ERROR (default task-38) [com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData] com.aveksa.server.db.PersistenceException: Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same at com.aveksa.afx.server.service.AFXServerAgentServiceProvider.createServerAgent(AFXServerAgentServiceProvider.java:185) at com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData.handleSubmit(BaseEditServerAgentPageData.java:101) at com.aveksa.afx.ui.pages.agent.edit.CreateServerAgentPageData.handleSubmit(CreateServerAgentPageData.java:30) at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45) at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:605) at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340) at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271) at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:186) at com.aveksa.gui.core.MainManager.doGet(MainManager.java:130) at com.aveksa.gui.core.MainManager.doPost(MainManager.java:428) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:62) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.) |
| Cause | Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. See RSA Knowledge Base Article 000039236 -- Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle for more information. This issue occurs after an RSA Identity Governance & Lifecycle upgrade to version 7.2.0 from a previous version and the server and client certificates have not been regenerated. |
| Resolution | Regenerate the server and client certificates as instructed in RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle. |