000021442 - Error: 'No decryption key' in RSA ClearTrust 5.0.1

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021442
Applies ToRSA ClearTrust 5.0.1
RSA ClearTrust ACM
Microsoft Windows 2000
Sun Solaris 2.8
BEA WebLogic 7.0
IssueError: "No decryption key" in RSA ClearTrust 5.0.1
After capturing ClearTrust authentication cookie and reading cookie via RTAPI application to validate, decrypt and retrieve cookie information (for example, to use in determining authorization rules), user receives a "no decryption key" error message:

ctSession =
AAAAAQABAECjB4AKNUJT26d8XKxjkA76un0ae9NzmNrlnHOko0wlvh8jW%2B5jAaAHAjmdMJt35zIkUaucdFGxpzphUpWE8%2FJ6
got RSAServerConnector instance
got RuntimeAPI instance
pingReturnCode = SERVER_TEST_SUCCEEDED
caught token exception : no decryption keys could be obtained
sirrus.runtime.TokenException: no decryption keys could be obtained
        at
sirrus.runtime.AuthServerConnection.checkForExceptions(AuthServerConnection.java:578)
        at
sirrus.runtime.AuthServerConnection.validateToken(AuthServerConnection.java:176)
        at
sirrus.runtime.ServerPoolBasedRuntimeAPI.validateToken(ServerPoolBasedRuntimeAPI.java:186)
        at
sirrus.runtime.RetryRuntimeAPI.validateToken(RetryRuntimeAPI.java:250)
        at
sirrus.runtime.ExceptionMappingRuntimeAPI.validateToken(ExceptionMappingRuntimeAPI.java:107)
        at jsp_servlet.__login._jspService(__login.java:122)
        at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
        at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1075)
CauseWhen the browser client gets a token via the ACM, user should see the token in the dispatcher output. When your RTAPI application goes to validate the token, user should also see that token being recorded in the dispatcher debug output. The 2 token strings do not match.
There is a token mismatch because the token data is URL encoded. The application server will URL encode the token because the alphanumeric string contains characters (like "/") that are reserved in HTTP.
If there are multiple dispatchers and the keyservers are not configured properly to be fully integrated, this error could occur
ResolutionThe RTAPI application will need to URL decode the string prior to supplying RTAPI calls for validating token. Ensure the multiple dispatchers and keyservers are configured appropriately to be fully integrated and are synchronized. Be sure to review the instructions as detailed on page 114 in the RSA ClearTrust 5.5 Installation and Configuration guide.
Legacy Article IDa22980

Attachments

    Outcomes