|Applies To||RSA Product Set: ClearTrust|
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
Platform (Other): null
O/S Version: Customer doesn't know/not sure-see notes
Product Name: null
Product Description: null
|Issue||The following error occurs in the aserver.log|
'sequence_number=43,2014-07-10 11:49:00:352 EDT,messageID=1031,user=user1,client_ip_address=10.10.10.25,client_port=58600,browser_ip_address=10.10.10.26,result_code=0,result_action=User Token Failed,result_reason=Token error'
The following error occurs in the dispatcher.log
sequence_number=XX,date=xxxx-xx-xx xx:xx:xx:xxx PST,messageID=-2,event_type=Internal Error,event_description=Discarding still valid key because MAX_NUM_KEYS threshold (15) has been exceeded.
|Cause||Token errors can occur for a variety of reasons and will occur nominally due to clients submitting outdated cookies. If token errors are also associated with the error message "Discarding still valid key because" then their is a problem with the keyserver configuration. |
This error occurs if the ratio of key generation and key lifetime is not set according to the recommendations in the keyserver.conf file. The keyserver can only store a maximum of 15 keys and if the number of stored keys exceeds this value still valid keys may be discarded. This is a fatal condition and the keyserver.conf file must be changed.
|Resolution||Ensure that the ratio of token_lifetime to session_key_life is exactly 2:1 (Note the documentation says the values should be "at least" twice but the recommendation is to set them exactly to twice. In most situations we recommend using the default values. |
# Sets the allowable idle time for a given single sign-on token.