000029699 - "Token error" in aserver.log and "Discarding still valid key" error in dispatcher.log

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029699
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
Platform: Windows
Platform (Other): null
O/S Version: Customer doesn't know/not sure-see notes
Product Name: null
Product Description: null
IssueThe following error occurs in the aserver.log
'sequence_number=43,2014-07-10 11:49:00:352 EDT,messageID=1031,user=user1,client_ip_address=10.10.10.25,client_port=58600,browser_ip_address=10.10.10.26,result_code=0,result_action=User Token Failed,result_reason=Token error'
The following error occurs in the dispatcher.log

sequence_number=XX,date=xxxx-xx-xx xx:xx:xx:xxx PST,messageID=-2,event_type=Internal Error,event_description=Discarding still valid key because MAX_NUM_KEYS threshold (15) has been exceeded.

CauseToken errors can occur for a variety of reasons and will occur nominally due to clients submitting outdated cookies.   If token errors are also associated with the error message "Discarding still valid key because" then their is a problem with the keyserver configuration. 
This error occurs if the ratio of key generation and key lifetime is not set according to the recommendations in the keyserver.conf file.  The keyserver can only store a maximum of 15 keys and if the number of stored keys exceeds this value still valid keys may be discarded.  This is a fatal condition and the keyserver.conf file must be changed.
 
ResolutionEnsure that the ratio of token_lifetime to session_key_life is exactly 2:1  (Note the documentation says the values should be "at least" twice but the recommendation is to set them exactly to twice.   In most situations we recommend using the default values.  

 
# Sets the allowable idle time for a given single sign-on token.
# This setting determines how long the Key Server must hold on to
# keys that are no longer used for encryption but still are valid
# for decryption.
#
# Allowed Values:
#   Any positive integer followed by a space and one of the following
#   time identifiers: hour | mins | secs.
#
# Default Value:
#   1 hour
#
# Dependencies:
#   The value set here should be greater than the sum of .idle_timeout
#   and .post_url_idle_ timeout parameters in the webagent.conf file of
#   RSA Access Manager Agents. It must also be set to at least twice the
#   value of .session_key_life in order to prevent possible token
#   decryption failure.
#
#   The value set here should match the value set for
#   cleartrust.aserver.logoff.session_expiration_time in aserver.conf
#
cleartrust.keyserver.token_lifetime=1 hour
# Specifies how long a session key is valid for encrypting new
# single sign-on (SSO) tokens.
#
# Allowed Values:
#   Any positive integer followed by a space and one of the following
#   time identifiers: hour | mins | secs.
#
# Default Value:
#   30 mins
#
# Dependencies:
#   See the description of .token_lifetime.
#
cleartrust.keyserver.session_key_life=30 mins

Attachments

    Outcomes