000036563 - RSA Authentication Manager 8.2 SP1 system log shows error message:  Message Key manager limit reached when using the RSA Authentication Agent API

Document created by RSA Customer Support Employee on Jul 26, 2018Last modified by RSA Customer Support Employee on Feb 21, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000036563
Applies ToRSA Product Set: SecurID
RSA Product/Service Type:  Authentication Agent API
RSA Version/Condition: 8.5.1
Platform: Linux
Platform (Other): FoxT BoKs
O/S Version: SUSE Linux
IssueA FoxT Bok server uses the RSA SecurID Authentication Agent API 8.5 for C or for Java to communicate as a TCP agent to Authentication Manager 8.x, as can be seen in the Real Time System monitor, and System log activity reports and imsTrace.log files.  The following error is shown:
ERROR All available agent keys are in use. The Agent Message Key Manager service cannot add new keys until some current keys expire or are deleted. Result: Message Key manager limit reached Activity Key: Agent Message Key Manager Key Limit

User-added image
CauseThe TCP agent, in this case FoxT BoKs server, uses the older TCP agent API version 8.5 and may not be reusing keys needed for encrypting the Authentication traffic.  By default, an Authentication Manager server can support 10000 keys each with a lifetime of 28800 seconds (8 hours).  This system error message indicates there are not enough keys available, possibly because they are not re-used by the agent.
ResolutionUse the work-around below first, to increase the number of available keys.

If your deployment sees this error after the work-around, possibly because you have hundreds or thousands of TCP agents, you may also need to check if the BoKS agent or other TCP agent is re-using keys or discarding them. If it is not re-using them, you can change the key lifetime to a much shorter period. Please contact RSA customer support for the details on this key lifetime change or contact the TCP agent partner vendor or developer about key re-use options.
WorkaroundRSA Engineering says that you could easily double or triple the default number of 10,000 keys without any impact.
  1. Open an SSH session to the primary Authentication Manager server.
  2. Login with the rsaadmin operating system account and password.
  3. Run the command ./rsautil store -a config_all auth_manager.messagekey.max_message_keys 30000, as shown:

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil store -a config_all auth_manager.messagekey.max_message_keys 30000 
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
pgsql.bin:/tmp/2273f1ca-a9c4-40ce-8173-6780a85f8f902222344216645874570.sql:149: NOTIOCE:  Changed the
value of configuration parameter 'auth_manager.messagekey.max_message_keys' from '10000' to '30000'
 for all instances

(1 row)
NotesThe key lifetime variable is auth_manager.messagekey.key_lifetime_secs.  You may be able to figure out how to configure a shorter key lifetime on your own, but it would be a good idea to open a case with RSA customer support so that we can assist, as well as document any specific TCP agent key re-use trends