How to troubleshoot CT-KIP failures in Authentication Manager 8.x
Originally Published: 2024-07-01
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
Version(s): 8.x
Issue
- How to enable verbose / debug logging on Authentication Manager, AM Web Tier v. 8.x, and
- Enabling debug for troubleshooting an RSA Authentication Manager 8.x web tier deployment, with a focus on the two-step CT-KIP process as seen in the Authentication Manager Real Time Monitor.
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:14 |
Delete CTKip Authcode |
trustedapp |
17:04:14 |
Generate CTKip key |
trustedapp |
17:04:12 |
Create CTKip Authcode |
<Admin>, e.g. amisbind or other UserID |
17:04:12 |
update Token |
amisbind |
17:04:12 |
update Token |
amisbind |
17:04:11 |
Create file data |
amisbind |
17:04:11 |
export Token |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:11 |
Link SWT with SWTDT definition file |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:10 |
Link Token with Principal |
amisbind |
Tasks
- Enable debug for troubleshooting an RSA Authentication Manager 8.x web tier deployment.
- Start the Admin Activity real time monitor (Reporting > Reports > Real Time Monitor > Administration Activity Monitor).
- Reproduce the CT-KIP issue.
- Attach the report to your technical support case for review.
Resolution
- The user ID is assigned a token serial number, which might occur previously to the CT-KIP import.
- The user requests the token, possibly through the Self-Service Console or portal, or through a custom app. The request might be for a new token, or a replacement token. A Software
- The user imports the token via the CT-KIP URL, which was created when the user requested the software token in step 2 above.
In step 1 the user might be assigned a new or replacement token in real time via a Self-Service Console, portal or app. The administration activity monitor will have various steps such as:
'update Token',
'Link Token with Principal',
'Link SWT with SWTDT definition file'
'export Token' and
'Create file data'
All activity is performed by an administrator, including an automated account such as amisbind, which is typical of AMIS or Authentication Manager Prime integrations.In step 2 as the user requests a new or replacement software token, after the serial number is assigned and the user Principal information updated, there will be a first step in the two-step process to import a software token via the CT-KIP protocol. That step shows as Create CTKip Authcode and is performed by the Authentication Manager administrator account linked to the application or the Self-Service portal, e. g., amisbind or another user ID. In the example above in the Issue section, "Create CTKip Authcode" is the third from last (top) real time admin log entry in the process.
Notes
Third part: The second step of CT-KIP import
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:14 |
Delete CTKip Authcode |
trustedapp |
17:04:14 |
Generate CTKip key |
trustedapp |
Second part: First step of CT-KIP import
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:12 |
Create CTKip Authcode |
<Admin>, e.g. amisbind or other UserID |
First part: Software token assignment logs
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:12 |
update Token |
amisbind |
17:04:12 |
update Token |
amisbind |
17:04:11 |
Create file data |
amisbind |
17:04:11 |
export Token |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:11 |
Link SWT with SWTDT definition file |
amisbind |
17:04:11 |
update Token |
amisbind |
17:04:10 |
Link Token with Principal |
amisbind |
Notice also that when the CT-KIP Authcode is generated, it is at the same time that it is deleted. Sometimes these steps will be reversed in order, e.g., the Delete looks like it came before the Generate. This has not been seen as a problem. It is simple a logging sequence issue.
Time Stamp |
Admin Action |
Admin ID |
|---|---|---|
17:04:14
|
Generate CTKip key
|
trustedapp
|
|
17:04:14 |
Delete CTKip Authcode |
trustedapp |
Related Articles
Configure SNMP Number of Views RSA Authentication Manager 8.1 Virtual Appliance SNMP Reference Guide Number of Views How to Configure HP OpenView to Accept SNMP Traps Number of Views Management Information Base Objects for SNMP GETS for Unreleased Agents Number of Views AdminAccess - Cisco ASA RSA Ready SecurID Access Implementation Guide Number of Views
Trending Articles
An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process
Don't see what you're looking for?
