000034743 - Remote Agent fails to start with 'Could not load certificate' error in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jan 27, 2017Last modified by RSA Customer Support on Apr 15, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034743
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 6.x, 7.0.x, 7.1.x, 7.2.x
 
IssueThe RSA Identity Governance & Lifecycle remote agent fails to start with:
 
INFO [com.aveksa.server.certificates.CertificateManager]
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D
ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)


 
CauseThere is a problem with the client and server certificates.
 
ResolutionThe process to resolve this error is to generate a new root (server) certificate, a new client certificate for every remote agent and AFX server, redeploy the newly generated certificates and and restart RSA Identity Governance & Lifecycle, the remote agent and AFX.

For steps to do this, please see RSA Knowledge Base Article 000038314 -- How to update the root (server) and client certificates in RSA Identity Governance & Lifecycle.
 
NotesNote that when changing the server certificate, if you use AFX you will need to redeploy the certificate for AFX as well. Instructions for doing so are also in RSA Knowledge Base Article 000038314 -- How to update the root (server) and client certificates in RSA Identity Governance & Lifecycle
 

Attachments

    Outcomes