000016502 - RKM Java Client: com.rsa.kmc.AccessDeniedException: Access Denied

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016502
Applies ToRSA Key Manager Server
RSA Key Manager Java Client 2.x or later
IssueRKM Java Client: com.rsa.kmc.AccessDeniedException: Access Denied

Client Console output:

Exception in thread "main" com.rsa.kmc.AccessDeniedException: Access Denied
        at com.rsa.kmc.x.ai.a(Unknown Source)
        at com.rsa.kmc.x.ai.a(Unknown Source)
        at com.rsa.kmc.x.Y.a(Unknown Source)
        at com.rsa.kmc.x.I.c(Unknown Source)
        at com.rsa.kmc.x.I.a(Unknown Source)
        at com.rsa.kmc.x.I.getKeyByKeyClassName(Unknown Source)
        at com.rsa.kmc.x.I.encrypt(Unknown Source)


Client log:

11 Nov 2008 14:48:44,009  INFO main - 1.2: Loaded client
certificate: res.cert.issuer[0]=CN=Root CA, OU=CA, O=Test, L=Bedford, ST=MA, C=US, res.cert.serial[0]=9
11 Nov 2008 14:48:44,013  INFO main - 1.4: Loaded server certificateres.cert.issuer[0]=CN=Root CA, OU=CA, O=Test, L=Bedford, ST=MA, C=US, res.cert.serial[0]=0
11 Nov 2008 14:48:44,016  INFO main - 1.1: Client initialized with following properties,
Host: rkm002.domain.com
Port: 443
Client Key Store Type: PKCS12
Server Key Store Type: jks
Cache Mode: Memory
 If an appropriate type of cache is configured, the following cache attributes will be used:
 Cache Location: /home/tcydev0/keycache.kmc  Cache Max Size: 100  Cache Max time to live (secs): 120  Cache Sync Interval (secs): 30 Server Retry Count: 3 Server Retry Delay (millisecs): 5000 Server SSL Connect Timeout (millisecs): 10000 Server SSL Read Connect Timeout (millisecs): 5000 Proxy Server Host:
Proxy Server Port: 0
11 Nov 2008 14:48:44,246  INFO main - 2.1: Connected to
server: dev.net.name[0]=rkm002.domain.com, dev.net.port[0]=443
11 Nov 2008 14:48:44,286  ERROR main - 2.2: Error connecting to server, Access Denied: dev.net.host[0]=rkm002.domain.com,
11 Nov 2008 14:48:44,287  ERROR main - 5.3: Error accessing key by key class name with parameter TestKeyClass, Access Denied, res.cert.serial[0]=9, res.cert.issuer[0]=CN=Root OU=CA, O=Test, L=Bedford, ST=MA, C=US 

ResolutionAn access denied error indicates that there is no Identity associated with the certificate in the PKCS #12 file, that can access that Key Class. It could be that there is an Identity on the RKM Server that was set up with the certificate from a different PKCS #12 file, or no Identity was created on the RKM Server that can access that Key Class.
Check whether the Identity has access to that Key Class on the RKM Server administration console.  Click the Key Classes tab, locate the row for the Key Class and click the name of the Identity Group, and click View Identities.  If the Identity name is not listed, then you need to add it to the Identity Group.  Click the Identities tab, click the Identity name, select the name of the Identity Group (press the Ctrl key while selecting to select more than one Identity Group), and click Update.  While on this screen, you can also check that the certificate details match the certificate in the client credential file (clientCredentialFile on C Clients or pki.client_keystore_file on Java Clients).
NotesMake sure the client authentication is properly set by accessing the RKM Server URL that the client uses (e.g. https://servername.domain.com/provider for RKM 1.5 Clients, https://servername.domain.com/crow for RKM 2.5.x Clients, or https://servername.domain.com/emu for RKM 2.7.x or later Clients).  If you import the client's PKCS #12 file into a Web browser then go to the RKM Server URL, if authentication is set up correctly, a certificate pop window should appear with the client certificate to select.
Legacy Article IDa43014