000031584 - Identity not found for certificate

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031584
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: Data Protection Manager Server; Data Protection Manager Appliance
RSA Version/Condition: 3.5.x
IssueErrors similar to the following will appear in the DPM logs:
07 Oct 2015 10:51:34,869 1444229494782 ERROR [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)' - Client : Internal, Identity not found for certificate: com.rsa.keymanager.core.identity.DefaultCertificate@1f35ae13
07 Oct 2015 10:51:34,869 1444229494782 ERROR [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)' - Client : Internal, Error during transaction: com.rsa.keymanager.server.access.error.DefaultShampooAuthenticationErrorHandler

Format of the message will vary somewhat depending on the type of Application Server in use for DPM Server, or if it is a DPM Appliance.  However, the key indicator of this issue is the phrase "Identity not found for certificate".
CauseThe errors you see in the log indicate that there is a DPM client that is trying to connect to the DPM server (or appliance), but the connection request is being rejected by DPM server because DPM server does not have an Identity configured for the digital certificate that the client is sending as part of its connection request. 
Typical reasons for this are: 
  • a required client has not been configured correctly (either Identity not configured correctly or the client has been configured with the wrong digital certificate), or
  • an old/unrequired client has been left running and is still trying to connect but its identity has been deleted from DPM server/appliance, or
  • a fraudulent client is trying to connect, or
  • a DPM node has been removed from the cluster, but is still running/operational and clients are still sending to it (the errors appear in the old node's log) 
  1. Identify the DPM client that is affected by this problem.
    • Usually the IP address of the client is logged with the event message. If it is not shown (as in the above example messages) you should be able to adjust logging options in DPM's Application Server (Weblogic/Websphere/Tomcat) to include the client IP address with the logged event message. Alternatively, you could try to correlate the Application Server event messages to events in the Web Server (httpd/IIS/IHS) access log to determine IP address of the client
  2. When you have identified the client with this problem, take appropriate action depending on the reason for the issue:
  • If the client is not entitled to connect to DPM, take appropriate steps to disable or block the client.
  • If the client is entitled to connect to DPM, check if an Identity has been configured for it on DPM server/appliance. If no identity has been configured, then create one and load the client's digital certificate into it.  If there is already an Identity configured for the client, check the digital certificates configured in the Identity and the client to determine which is the correct (unexpired) one to use, then either change the client's configuration to use the same certificate as is configured for the Identity, or update the Identity by uploading into it the digital certificate that is configured in the client.
  • If the client is connecting to an old DPM node, shutdown that node, and/or adjust load balancer or client configuration to ensure the client only attempts to connect to live DPM node(s) in the cluster.