000034913 - Unable to open RSA Archer Control Panel due to duplicate certificates in certificate store: Found multiple X.509 certificates using the following search criteria.

Document created by RSA Customer Support Employee on Mar 8, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034913
Applies ToRSA Product Set: Archer
RSA Version/Condition: 5.5.x
Platform: Windows
IssueRSA Archer Configuration Services starts, however, error encountered when loading RSA Archer Control Panel (ACP). Errors observed through the Output panel within RSA Archer Control Panel (ACP).
An error occurred reading the instance groups. Unexpected failure when broadcasting or receiving. 
An error occurred loading the instances. Unexpected failure when broadcasting or receiving.

Example screenshot of ACP:


User-added image



Error observed in Archer.ArcherTech.Services.ConfigurationService.YYYYMMDD.xml


<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
        <EventID>0</EventID>
        <Type>3</Type>
        <SubType Name="Error">0</SubType>
        <Level>2</Level>
        <TimeCreated SystemTime="2017-03-06T07:55:42.0522317Z" />
        <Source Name="Archer.NET" />
        <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
        <Execution ProcessName="ArcherTech.Services.ConfigurationService" ProcessID="1052" ThreadID="6" />
        <AssemblyVersion>5.5.10000.1088</AssemblyVersion>
        <Channel />
        <Computer>ArcherHost</Computer>
    </System>
    <ApplicationData>
        <TraceData>
            <DataItem>
                <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
                    <TraceIdentifier>Archer.NET</TraceIdentifier>
                    <Description>Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'mydomain.com'. Provide a more specific find value.</Description>
                    <AppDomain>ArcherTech.Services.ConfigurationService.exe</AppDomain>
                    <Exception>
                        <ExceptionType>System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
                        <Message>Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'mydomain.com'. Provide a more specific find value.</Message>
                        <Source>System.ServiceModel</Source>
                        <StackTrace>   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
   at System.ServiceModel.Configuration.X509ClientCertificateCredentialsElement.ApplyConfiguration(X509CertificateInitiatorServiceCredential creds)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.ApplyConfiguration(ServiceCredentials behavior)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.CreateBehavior()
   at System.ServiceModel.Description.ConfigLoader.LoadBehaviors[T](ServiceModelExtensionCollectionElement`1 behaviorElement, KeyedByTypeCollection`1 behaviors, Boolean commonBehaviors)
   at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action`1 addBaseAddress, Boolean skipHost)
   at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection)
   at System.ServiceModel.ServiceHost.ApplyConfiguration()
   at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)
   at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
   at ArcherTech.Configuration.ServiceHostFactory.GetServiceHost(Type serviceHostType)
   at ArcherTech.Services.ConfigurationService.ConfigurationService.StartService()</StackTrace>
                    </Exception>
                </TraceRecord>
            </DataItem>
        </TraceData>
    </ApplicationData>
</E2ETraceEvent>


Error observed in Windows Event Viewer:
 


Log Name:      Archer
Source:        Archer
Date:          3/6/2017 7:06:17 PM
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ArcherHost.mydomain.com
Description:
Error initializing log center - ArcherTech.Configuration.ConfigurationServiceException: Unexpected failure when broadcasting or receiving. ---> System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
   --- End of inner exception stack trace ---
Server stack trace:
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at ArcherTech.Configuration.IConfigurationServiceAPI.AssemblyVersion()
   at ArcherTech.Configuration.WCFPropertyServiceClient.<AssemblyVersion>b__12()
   at ArcherTech.Configuration.WCFPropertyServiceClient.ExecuteInOperationContextScope[TResult](Func`1 func)
   at ArcherTech.Configuration.WCFPropertyServiceClient.AssemblyVersion()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.IsValidClient(IConfigurationServiceAPI testClient, Exception& exception)
   --- End of inner exception stack trace ---
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetWCFPropertyServiceClient()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetPropertyServiceProxy()
   at ArcherTech.Configuration.PropertyServiceClient.GetListeners()
   at ArcherTech.Configuration.PropertyServiceClient.ArcherTech.Configuration.ICommunicationProvider.GetListeners()
   at Security2000.Global.Start()
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Archer" />
    <EventID Qualifiers="0">0</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-03-06T11:06:17.000000000Z" />
    <EventRecordID>57743</EventRecordID>
    <Channel>Archer</Channel>
    <Computer>ArcherHost.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Error initializing log center - ArcherTech.Configuration.ConfigurationServiceException: Unexpected failure when broadcasting or receiving. ---&gt; System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---&gt; System.ServiceModel.FaultException: An error occurred when verifying security for the message.
   --- End of inner exception stack trace ---
Server stack trace:
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at ArcherTech.Configuration.IConfigurationServiceAPI.AssemblyVersion()
   at ArcherTech.Configuration.WCFPropertyServiceClient.&lt;AssemblyVersion&gt;b__12()
   at ArcherTech.Configuration.WCFPropertyServiceClient.ExecuteInOperationContextScope[TResult](Func`1 func)
   at ArcherTech.Configuration.WCFPropertyServiceClient.AssemblyVersion()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.IsValidClient(IConfigurationServiceAPI testClient, Exception&amp; exception)
   --- End of inner exception stack trace ---
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetWCFPropertyServiceClient()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetPropertyServiceProxy()
   at ArcherTech.Configuration.PropertyServiceClient.GetListeners()
   at ArcherTech.Configuration.PropertyServiceClient.ArcherTech.Configuration.ICommunicationProvider.GetListeners()
   at Security2000.Global.Start()</Data>
  </EventData>
</Event>

 


 

CauseThe issue is commonly found in environment where CA issued certificate is used with RSA Archer Installation.
Where duplicate CA certificate was left in Certificate Store post certificate renewal.
Example above shows duplicate CA certificate (e.g. 'mydomain.com') found in Certificate Store.
Resolution
  1. Review certificate store on RSA Archer server.
  2. Open MMC
  3. Add Certificate Snap-in for "Computer Account" then select "Local Computer"
  4. Expand Certificates (Local Computer) > Personal > Certificates.
  5. Verify if there are duplicate certificates remove only the old/expired certificate (e.g. 'mydomain.com')
  6. Restart RSA Archer Configuration Service
  7. Review the Archer.ArcherTech.Services.ConfigurationService.YYYYMMDD.xml Log and ensure the error is rectified - e.g. Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'mydomain.com'. Provide a more specific find value.
  8. RSA Archer Control Panel will load correctly once the error is rectified.

Attachments

    Outcomes