000011947 - Unable to connect to admin interface using ActivClient smart card after upgrading  error 'The page cannot be displayed'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011947
Applies ToRSA Certificate Manager 6.9
Microsoft Windows 2008 R2 64-bit
ActivIdentity ActivClient (smart card middleware) 6.1
IssueUnable to connect to admin interface using ActivClient smart card after upgrading, error "The page cannot be displayed"
RSA_CM\WebServer\logs\renewal-cipher.log shows:

Init: Oops, you want to request client authentication, but no CAs are known for verification!?  [Hint: SSLCACertificate*]
RSA_CM\WebServer\logs\admin-cipher.log shows:

SSL Library Error: 336130161 error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode Browser still remembered details of a re-created server certificate?
RSA_CM\WebServer\logs\admin-cipher.log shows:

SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
Windows Event Viewer system logs show:

Error ? 9/8/2012 18:11:08 ? Source: Schannel ? Event ID: 36887 - "The following fatal error alert was received: 20."
Error ? 9/8/2012 18:11:09 ? Source: Schannel ? Event ID: 36887 - "The following fatal error alert was received: 40."
Error ? 9/8/2012 18:11:09 ? Source: Schannel ? Event ID: 36887 - "The following fatal error alert was received: 40."
Error ? 9/8/2012 18:11:08 ? Source: Schannel ? Event ID: 36887 - "The following fatal error alert was received: 40."


Note: As per http://www.eventid.net/display-eventid-36887-source-Schannel-eventno-10676-phase-1.htm, error 20 maps to TLS1_ALERT_BAD_RECORD_MAC (20) and error 40 maps to TLS1_ALERT_HANDSHAKE_FAILURE (40).
CauseThe error "no CAs known to server for verification" in some of the logs indicate that RCM Secure Directory Server may need to be restarted
ActivClient middleware application needed to be upgraded to the latest 64-bit version
ResolutionUpgrade ActivClient smart card middlware application to the latest 64-bit version (6.2 or later) on Windows 2008 R2 box where browser (MSIE) is being used along with administrator certificate on the smart card.  Restart RCM services.
WorkaroundRSA Certificate Manager was upgraded from version 6.7 on Windows 2003 to version 6.9 build 551 on Windows 2008 R2 64-bit.  Soon after the upgrade, RCM SSL keys were re-issued (through Rekey option on Administrator Operations workbench) and converted to nCipher PKCS#11 based keys.
Legacy Article IDa59508

Attachments

    Outcomes