000025765 - com.rsa.kms.key.support.KeyProviderException: Client failed to provide certificate

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025765
Applies ToRSA Key Manager Client
RSA Key Manager Server
Microsoft Windows 2003 Server SP1
Apache Tomcat 5.5.20
RKM Server
RKM Client
Issue

The RKM Server log file (e.g. C:\Program Files\Apache Software Foundation\Tomcat 5.5\logs\key-manager.log) contains the following error when trying to retrieve a key:

com.rsa.kms.key.support.KeyProviderException: Client failed to provide certificate

or in RKM Server 2.1.2:

com.rsa.keymanager.access.certificate.DefaultCertificateIdentityEstablisher - Request does not contain a certificate.

or


com.rsa.keymanager.access.framework.AuthenticationException: The identity of the request could not be established.


When trying to retrieve key, the RKM C Client API returns

ERROR: 20010

If you are using the RKM 2.11 Java Client, running a sample (e.g. CheckConfig) gives output:

     [java] Attempting to contact Key Manager Server
     [java]  Key Manager Server IS NOT AVAILABLE
     [java]  Possible reasons why the sample code is unable to access the
     [java]  server are:
     [java]  - The Key Manager server has not been started
     [java]  - The Key Manager server Master Password has not been entered
     [java]  - The Key Manager server host name or IP address in the
     [java]    configuration file is incorrect
     [java]  - The Key Manager server port number in the configuration file is
     [java]    incorrect
     [java]  - The Key Manager server certificate as configured at the client
     [java]    is not the correct certificate
     [java]  - An identity matching the client certificate has not been
     [java]    configured on the server
     [java]  - RSA Access Manager has not been correctly configured
     [java]  - The Web Server has not been correctly configured


RKM Java Client 1.5.x shows "Access Denied" message, e.g.

com.rsa.kmclient.KMSException: Unable to perfrom decryption : error : Unable to get a vaild key from KMS Server: Unable to get key from KMS Server : KMS Response error : KMSError from KMS Server : error : Access Denied
ResolutionYour web server must be set to accept client certificate authentication. Of course, you must trust the CA certificate chain of any client certificates of applications that will requests keys.

If you are using IIS 6:
Open IIS Manager. Under Web Sites, right-click Properties on your Default Web Site.

Click on the "Directory Security" tab -> Edit Secure Communications -> Select "Accept Client Certificate".
Click OK to close.

IIS 7:
1. Start IIS Manager (Server Manager > Roles > Web Server (IIS) > Internet Information Services)
2. Click on the Web Site
3. Double-click on SSL Settings
4. Under Client certificates, make sure that "Accept" or "Require" is selected

If you are using Apache:
Edit your httpd.conf (or httpd.d/ssl.conf), and look for SSLVerifyClient. Set it to the following:
   SSLVerifyClient optional
   SSLVerifyDepth 10
   SSLOptions +StdEnvVars +ExportCertData
Legacy Article IDa32843

Attachments

    Outcomes