000015936 - healthCheck.do returns 'Get Key Error: 20010' and key-manager.log shows 'ClientID and Identity doesnot match'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015936
Applies ToRSA Key Manager Appliance 2.7 SP1
IssueA) healthCheck.do returns "Get Key Error: 20010" and key-manager.log shows "ClientID and Identity doesnot match"
B) When accessing health check monitoring URL (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12') on a web browser, the following page is shown:
 
0 Using init config file /tmp/16875.497.test_init.cfg Using service config file 
config/test_svc.cfg ###########################################
############################ Retrieving key via key class ########
##########################################################
##### bin/get_key_by_class/get_key_by_class -init_file /tmp/16875.497.test_init.cfg
-svc_file config/test_svc.cfg -key_class "healthcheck_keyclass" Getting key
by Key Class healthcheck_keyclass... ERROR: R_KM_KEY_get_by_class
by Key Class healthcheck_keyclass returned 20010 Get Key Error: 20010
DONE: 0

C) RKM Server logs, key-manager.log, shows the following corresponding exception:
 
2011-01-07 09:34:27,147 ERROR TP-Processor11 com.rsa.keymanager.server.shampoo.skeleton.KeyManagerShampooErrorHandler - NO LOG MESSAGE
au.net.netstorm.boost.primordial.PrimordialException: ClientID and Identity doesnot match
at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.checkIdentity(DefaultClientRequestHandler.java:143)
at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.getIdentityPolicy(DefaultClientRequestHandler.java:147)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.edge.java.lang.reflect.DefaultEdgeMethod.invoke(DefaultEdgeMethod.java:11)
at com.rsa.shampoo.skeleton.DefaultSkeleton.downCall(DefaultSkeleton.java:72)
at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:46)
at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:40)
at com.rsa.shampoo.skeleton.DefaultErrorSkeleton.call(DefaultErrorSkeleton.java:21)
at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:41)
at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.doCall(DefaultShampooSkeleton.java:36)
at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:30)
at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.processRequest(DefaultRpcRequestHandler.java:28)
at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.handle(DefaultRpcRequestHandler.java:22)
at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.get(ShampooServlet.java:24)
at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.post(ShampooServlet.java:20)
at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:75)
at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:55)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.auth.z.IdentityStampLayer.invoke(IdentityStampLayer.java:31)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.auth.z.PersonalityLayer.invoke(PersonalityLayer.java:53)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.call(AuthenticationServletFilter.java:71)
at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:55)
at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58)
at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42)
at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25)
at com.rsa.keymanager.server.transport.core.filter.ServerAccessibilityFilter.doFilter(ServerAccessibilityFilter.java:29)
at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58)
at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42)
at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.entry.TransactionLayer.invoke(TransactionLayer.java:32)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:36)
at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:30)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.entry.RequestStampLayer.invoke(RequestStampLayer.java:30)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.entry.FrozenClockLayer.invoke(FrozenClockLayer.java:33)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26)
at com.rsa.keymanager.core.entry.ThreadLocalGlobalsLayer.invoke(ThreadLocalGlobalsLayer.java:27)
at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20)
at $Proxy7.doFilter(Unknown Source)
at com.rsa.keymanager.server.transport.core.filter.EntryFilter.doFilter(EntryFilter.java:27)
at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58)
at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42)
at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:619)

D) Client application name (client.app_name) and id (client.app_id) in the RKM Client registration file (/opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg) used by healthCheck did not exist or could not be located on RKM Server GUI (/KMS).
Contents of test_appreg.cfg looked like the following (notice the lines in red for client.app_name and client.app_id):
 
client.policy_signature = L3i5XrUb5f2mxWQL2BtZlYSS7eHwRjqC3piwaapZvCRPZbvAoQmA/dCaSiZ2PpFUK8TEdGqkLYSArWGOKcoVRt10Eq6oMGO5PmTB3w3c72wj9ewBvkFk/dLtZB8H8FBLSgfR3Htk8OIrpEjkGcaRSgpN6AZigG/dVYOwISlcQG4=
client.applicationpolicy = 000102030405060708091011
client.rkm_svr_public_key = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgXACydRqPnPZVO0LE/23Lsgq6FihvSfnmVHab62uVnCqmg+3VZdwC9whx+8IdtXQ0nitKjVqbHPAeFVbuEzLNzNy7boWkZZQ1iiUDrVOPVYFqfKWcehIJ1uoxRcMeNMYDp3vwPPj4KB4x8VuAONhMZP0YzpKrTPwyF5hfx5wwiwIDAQAB
client.app_name = RKMDemorkm.appliance.net2010:12:22:16:10:13
client.actmgmt_enable = 0
client.registration_state = 3
client.actmgmt_poll_interval = 0
client.app_id = 05cf24e3-c01e-4676-9b73-b0e6c35e652d-559a7cba-20b7-4021-8a02-b2429e9ded80
client.policy_name = DEFAULT_POLICY
CauseAn exact cause is not known as to why client.app_name and client.app_id listed in test_appreg.cfg did not exist on RKM Server.
One change was made to the environment:  A previous certificate used with healthCheck.do had expired and a new certificate was issued and configured with healthCheck.do (for more details, see solution RKM Appliance health check monitoring URL healthCheck.do returns 'Get Key Error: 10039').
ResolutionFollow the steps listed below to reset contents of test_appreg.cfg so that RKM Client associated with healthCheck.do re-initializes it with valid client.app_name, client.app_id, and other parameters:
1. Stop Apache web server so no RKM requests (especially healthCheck.do requests) are responded to while this issue is being fixed:
service httpd stop

2. Make a backup of the existing file /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
3. Use vi to edit test_appreg.cfg:
vi /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg

4. Edit test_appreg.cfg so that it has the following contents (note that client.app_name must get a unique value, updating date/time stamp is one way to do so):
client.app_name = RKMDemorkm.appliance.net2011:01:07:14:50:13
client.actmgmt_enable = 0
client.registration_state = 0
client.actmgmt_poll_interval = 0

5. Ensure that the PKCS#12 (e.g., client.p12 in the above example) is the correct one and properly configured on RKM Server GUI (/KMS)
6. Start Apache web server:
service httpd start

7. Test by accessing the health check URL in a browser (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12')
8. A successful healthCheck transaction should be reflected by:
    (a) successful get key on browser,
    (b) test_appreg.cfg updated with client.app_id and other parameters, and
    (c) a client record created on RKM Server and viewable via Clients tab
NotesFor additional possible scenarios when you may get error 20010, see solution RKM: Resolve Client error 20010 and Server error 'ClientID and Identity doesnot match'
Legacy Article IDa53533

Attachments

    Outcomes