000016533 - How to get more verbose logs for CMP Server in RSA Certificate Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016533
Applies ToRSA Certificate Manager 6.9
Certificate Management Protocol (CMP)
IssueHow to get more verbose logs for CMP Server in RSA Certificate Manager
Detailed logging for CMP Server
ResolutionTo get more verbose logging for the Certificate Management Protocol (CMP) Server, update the following configuration file (and then restart RCM services):
  RSA_CM/CmpServer/conf/cmp.conf
Set the following parameters in cmp.conf as shown:
  loglevel=3
  
tracedetail=high
The CMP Server logs are found in the following locations:
-  RSA_CM/CmpServer/bin/cmptrace.log   (if tracefile in cmp.conf is set to the default "cmptrace.log")
-  /var/log/messages  (syslog logfile on Linux/Solaris platforms)
-  Windows Event Viewer Application logs on Windows platforms
In addition to the logs generated by RCM CMP Server, using tools such as Wireshark or tcpdump to capture network packets can be helpful in troubleshooting CMP messages (sent between CMP Client and CMP Server) at the protocol level.
For example, network packets captured by Wireshark and saved into a file, say testcapture.pcap, can be reviewed for CMP transactions as follows:
  - open testcapture.pcapng file in Wireshark
  - select an HTTP transaction row reflecting CMP transaction over HTTP, and right click then select decode as (HTTP)
  - apply filter as CMP, it will show the CMP messages
Here's an example of what a CMP transaction may look like:
No.     Time                       Source                Destination           Protocol Length Info
     20 2013-05-30 10:27:18.578356 100.101.44.88         100.101.44.143        CMP      316    PKIXCMP Status=rejection Body=error
Certificate Management Protocol
    header
        pvno: cmp2000 (2)
        sender: 4
        recipient: 4
        protectionAlg (PasswordBasedMac)
        senderKID: 31
        transactionID: 876e32d1819e9ddf
        senderNonce: e99c236487e9b0f5150d03f6ee810112
        recipNonce: 01000080feffffff0100008001000080
    body: error (23)
        error
            pKIStatusInfo
                status: rejection (2)
                statusString: 1 item
                    PKIFreeText item: Response for Polling request from CA contains invalid DER encoding
                Padding: 5
                failInfo: 20 (badRequest)
                    0... .... = badAlg: False
                    .0.. .... = badMessageCheck: False
                    ..1. .... = badRequest: True
                    ...0 .... = badTime: False
                    .... 0... = badCertId: False
                    .... .0.. = badDataFormat: False
                    .... ..0. = wrongAuthority: False
                    .... ...0 = incorrectData: False
                    0... .... = missingTimeStamp: False
                    .0.. .... = badPOP: False
                    ..0. .... = certRevoked: False
                    ...0 .... = certConfirmed: False
                    .... 0... = wrongIntegrity: False
                    .... .0.. = badRecipientNonce: False
                    .... ..0. = timeNotAvailable: False
                    .... ...0 = unacceptedPolicy: False
                    0... .... = unacceptedExtension: False
                    .0.. .... = addInfoNotAvailable: False
                    ..0. .... = badSenderNonce: False
                    ...0 .... = badCertTemplate: False
                    .... 0... = signerNotTrusted: False
                    .... .0.. = transactionIdInUse: False
                    .... ..0. = unsupportedVersion: False
                    .... ...0 = notAuthorized: False
                    0... .... = systemUnavail: False
                    .0.. .... = systemFailure: False
                    ..0. .... = duplicateCertReq: False
    Padding: 0
    protection: 82d1134600d67ff24f2c52a0c922dbd8ee911c40
Legacy Article IDa61614

Attachments

    Outcomes