RSA Cloud Access Service Shows Partial Publish Failure After Configuring REST Agent Connection to RSA Authentication Manager
7 days ago
Originally Published: 2026-02-26
Article Number
000073830
Applies To

RSA Product Set: RSA ID Plus

RSA Product/Service Type: RSA Cloud Access Service

RSA Version/Condition:

  • RSA Identity Router 12.24.x.x and later
  • RSA Authentication Manager 8.x
Issue

After adding or changing a REST Agent connection to Authentication Manager (AM), there is a Publish Partial Failure with status "Changes were successfully published to the Cloud Authentication Service, but could not be published to the identity router(s). "

Publish partial failure to IDRs

After publish, In Platform > Identity Routers, the Authentication Manager's general status will show as unhealthy (amber) and the Authentication Manager detailed Authentication status will be unhealthy (red).

Authentication Manager authentication connection status

Note:  An Authentication Manager Notification connection is not changed by configuring the connection to Authentication Manager, so its status will not be impacted by this issue.

In Platform > Identity Routers,  View Log for all IDRs will intermittently show warning events similar to the following:

WARN  com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl[81] - Could not generate certificate: 
java.security.cert.CertificateException: Could not generate certificate: 
	at com.rsa.cryptoj.o.oy.engineGenerateCertificates(Unknown Source)
	at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
	at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:162)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getChainCertificateLeafToRoot(AMMFARestTemplateServiceImpl.java:161)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getSecureSslContext(AMMFARestTemplateServiceImpl.java:144)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getHttpClient(AMMFARestTemplateServiceImpl.java:99)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.clientHttpRequestFactory(AMMFARestTemplateServiceImpl.java:90)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:77)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getMfaRestTemplate(AMMFARestTemplateServiceImpl.java:70)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.postStatus(AMMFARestServiceImpl.java:106)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:100)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:54)
	at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.testConnection(AMMFAAuthenticationService.java:204)
	at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.checkConnection(AMMFAAuthenticationService.java:121)
	at com.symplified.service.shared.sid.SIDConnectivityTester.testConnectivityToSID(SIDConnectivityTester.java:31)
	at com.symplified.service.appliance.status.monitors.SIDConnectivityStatusMonitor.collectStatusMetrics(SIDConnectivityStatusMonitor.java:67)
	at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:124)
	at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:32)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

2026-02-25/14:03:25.821/UTC [Status-Monitor-7] WARN  com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl[109] - MFA error while preparing RestTemplate - Could not generate certificate: 
com.rsa.aae.am.mfa.exception.AMMFAException: Could not generate certificate: 
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:82)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getMfaRestTemplate(AMMFARestTemplateServiceImpl.java:70)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.postStatus(AMMFARestServiceImpl.java:106)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:100)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:54)
	at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.testConnection(AMMFAAuthenticationService.java:204)
	at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.checkConnection(AMMFAAuthenticationService.java:121)
	at com.symplified.service.shared.sid.SIDConnectivityTester.testConnectivityToSID(SIDConnectivityTester.java:31)
	at com.symplified.service.appliance.status.monitors.SIDConnectivityStatusMonitor.collectStatusMetrics(SIDConnectivityStatusMonitor.java:67)
	at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:124)
	at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:32)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.cert.CertificateException: Could not generate certificate: 
	at com.rsa.cryptoj.o.oy.engineGenerateCertificates(Unknown Source)
	at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
	at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:162)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getChainCertificateLeafToRoot(AMMFARestTemplateServiceImpl.java:161)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getSecureSslContext(AMMFARestTemplateServiceImpl.java:144)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getHttpClient(AMMFARestTemplateServiceImpl.java:99)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.clientHttpRequestFactory(AMMFARestTemplateServiceImpl.java:90)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:77)
	... 14 more

2026-02-25/14:03:25.821/UTC [Status-Monitor-7] ERROR com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService[128] - :  
com.rsa.aae.am.mfa.exception.AMMFAException: Could not generate certificate: 
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:82)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getMfaRestTemplate(AMMFARestTemplateServiceImpl.java:70)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.postStatus(AMMFARestServiceImpl.java:106)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:100)
	at com.rsa.aae.am.mfa.rest.AMMFARestServiceImpl.status(AMMFARestServiceImpl.java:54)
	at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.testConnection(AMMFAAuthenticationService.java:204)
	at com.rsa.aae.am.mfa.auth.AMMFAAuthenticationService.checkConnection(AMMFAAuthenticationService.java:121)
	at com.symplified.service.shared.sid.SIDConnectivityTester.testConnectivityToSID(SIDConnectivityTester.java:31)
	at com.symplified.service.appliance.status.monitors.SIDConnectivityStatusMonitor.collectStatusMetrics(SIDConnectivityStatusMonitor.java:67)
	at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:124)
	at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:32)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.cert.CertificateException: Could not generate certificate: 
	at com.rsa.cryptoj.o.oy.engineGenerateCertificates(Unknown Source)
	at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:480)
	at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:162)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getChainCertificateLeafToRoot(AMMFARestTemplateServiceImpl.java:161)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getSecureSslContext(AMMFARestTemplateServiceImpl.java:144)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.getHttpClient(AMMFARestTemplateServiceImpl.java:99)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.clientHttpRequestFactory(AMMFARestTemplateServiceImpl.java:90)
	at com.rsa.aae.am.mfa.rest.AMMFARestTemplateServiceImpl.resetMfaRestTemplate(AMMFARestTemplateServiceImpl.java:77)
	... 14 more

These errors can also be seen if you download the IDR bundle logs from any IDR.  In the downloaded .zip file, the errors will be in /var/log/symplified/symplified.log. 

Cause

Cloud Access Service (CAS) requires the Authentication Manager (AM) console root certificate to be provided in DER (binary-encoded) format during REST Agent configuration.

If the certificate is supplied in PEM (Base64/ASCII) format or any unsupported format, the Identity Router (IDR) is unable to process or load the certificate. This results in a Publish Partial Failure with the error “Could not generate certificate” in the IDR.

Resolution

To fix the issue:

  1. Obtain the RSA Authentication Manager (AM) console root certificate in DER format.
    Refer to 000073828 - How to download the RSA Authentication Manager Console Root Certificate in DER format
  2. Upload the DER-formatted certificate to the Cloud Administration Console as part of the REST Agent configuration, as described in Configure Connection to Authentication Manager (Step 3e).
  3. Save the configuration and Publish the changes.
Workaround

If it is not practical to immediately obtain AM's console root certificate in DER format and if a TCP Agent configuration was previously used for the connection to AM, the TCP Agent connection can be reconfigured as an interim measure.

Caution: Do NOT delete the Connection to Authentication Manager else the TCP Agent option will no longer be available and cannot be restored.

Notes

KB Article 000063937 - How to export root certificates for RSA Authentication Manager, Identity Router, or Cloud Authentication Service is not sufficient on its own for obtaining the AM root certificate required for a REST Agent connection in Cloud Access Service (CAS), as it provides the certificate in PEM format.. 

For REST Agent configuration, the AM root certificate must be in DER format. For the correct procedure, refer to KB article 000073828 - How to download the RSA Authentication Manager Console Root Certificate in DER format

  

Related Articles

Trending Articles

Don't see what you're looking for?