000039237 - Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Aug 15, 2020Last modified by RSA Customer Support Employee on Aug 15, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000039237
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0
 
IssueMultiple Remote AFX Server failures may occur after upgrading to RSA Identity Governance & Lifecycle 7.2.0.

SYMPTOMS:
  1. Remote AFX Servers go into a Not Running state in the user interface (AFX > Servers).
  2. Download Server Archive for Remote AFX Servers fails to download (AFX > Servers > {AFX Server name} > Download Server Archive). The AFX tab may become inaccessible after such an attempt.
  3. When attempting to create a remote AFX Server (AFX > Servers > Create Server), the Server definition cannot be saved and the remote AFX Server cannot be created.
 

User-added image



Clicking OK to save the definition results in the following error:

 

Unable to save Server
 


User-added image



In all these cases, the common denominator is the following error logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
 
03/27/2019 05:36:48.196 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.197 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.200 ERROR (default task-38) [com.aveksa.afx.server.service.AFXServerAgentServiceProvider]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.205 ERROR (default task-38) [com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData]
com.aveksa.server.db.PersistenceException:
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
  at com.aveksa.afx.server.service.AFXServerAgentServiceProvider.createServerAgent(AFXServerAgentServiceProvider.java:185)
  at com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData.handleSubmit(BaseEditServerAgentPageData.java:101)
  at com.aveksa.afx.ui.pages.agent.edit.CreateServerAgentPageData.handleSubmit(CreateServerAgentPageData.java:30)
  at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
  at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:605)
  at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
  at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
  at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:186)
  at com.aveksa.gui.core.MainManager.doGet(MainManager.java:130)
  at com.aveksa.gui.core.MainManager.doPost(MainManager.java:428)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
  at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
  at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:62)
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
  at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
  at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
  at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
  at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
  at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)



Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)


 
CauseStarting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. See RSA Knowledge Base Article 000039236 -- Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle for more information.

This issue occurs after an RSA Identity Governance & Lifecycle upgrade to version 7.2.0 from a previous version and the server and client certificates have not been regenerated.
 
ResolutionRegenerate the server and client certificates as instructed in RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.
 

Attachments

    Outcomes