000017175 - ?KMClient: Error getting key from KMS: Error from server: Access Denied?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017175
Applies ToRSA Key Manager Server 2.1.1
Microsoft 2003 Server SP1
RSA Key Manager C Client
Issue?KMClient: Error getting key from KMS: Error from server: Access Denied?

The KMS server is returning the following error:

       ?KMClient: Error getting key from KMS: Error from server: Access Denied?


Running test tool getKey - byKeyClass an the following error was thrown:

       Failed to retrieve key after 3 retries
       KMClient: Error getting key from KMS: Error from server: Access Denied  
       GetKey failed: Error code = 4780018

/var/log/httpd/ssl_request_log:

       TLSv1 RC4-MD5 CN=Certificate "POST /KMS/rpc/emu HTTP/1.1"

CauseThe key class on KMS is not configured to auto-generate keys.

The cipher is not supported on the Key Manager Server.

To check the list of ciphers check the SSLCipherSuite directive in /etc/httpd/conf.d/ssl.conf on the Key.

ResolutionVerify that the KeyClass exist and that a key has been generated under the KeyClass or auto-generate key has been enabled for testing.
Validate that the cipher being used is supported.  If supported check enableFIPS(by default FIPS is set to true) in the client configuration file.  The RC4-MD5 cipher is not FIPS.
NotesTo change the client certificate to be FIPS check primus solution a58296: How to recreate a PKCS#12 and/or to change PKCS#12 password?
Legacy Article IDa43585

Attachments

    Outcomes