Identity not found for certificate
Originally Published: 2015-10-26
Article Number
Applies To
RSA Product/Service Type: Data Protection Manager Server; Data Protection Manager Appliance
RSA Version/Condition: 3.5.x
Issue
07 Oct 2015 10:51:34,869 1444229494782 ERROR [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)' - Client : Internal, Identity not found for certificate: com.rsa.keymanager.core.identity.DefaultCertificate@1f35ae13 07 Oct 2015 10:51:34,869 1444229494782 ERROR [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)' - Client : Internal, Error during transaction: com.rsa.keymanager.server.access.error.DefaultShampooAuthenticationErrorHandler
Format of the message will vary somewhat depending on the type of Application Server in use for DPM Server, or if it is a DPM Appliance. However, the key indicator of this issue is the phrase "Identity not found for certificate".
Cause
Typical reasons for this are:
- a required client has not been configured correctly (either Identity not configured correctly or the client has been configured with the wrong digital certificate), or
- an old/unrequired client has been left running and is still trying to connect but its identity has been deleted from DPM server/appliance, or
- a fraudulent client is trying to connect, or
- a DPM node has been removed from the cluster, but is still running/operational and clients are still sending to it (the errors appear in the old node's log)
Resolution
- Identify the DPM client that is affected by this problem.
- Usually the IP address of the client is logged with the event message. If it is not shown (as in the above example messages) you should be able to adjust logging options in DPM's Application Server (Weblogic/Websphere/Tomcat) to include the client IP address with the logged event message. Alternatively, you could try to correlate the Application Server event messages to events in the Web Server (httpd/IIS/IHS) access log to determine IP address of the client
- When you have identified the client with this problem, take appropriate action depending on the reason for the issue:
- If the client is not entitled to connect to DPM, take appropriate steps to disable or block the client.
- If the client is entitled to connect to DPM, check if an Identity has been configured for it on DPM server/appliance. If no identity has been configured, then create one and load the client's digital certificate into it. If there is already an Identity configured for the client, check the digital certificates configured in the Identity and the client to determine which is the correct (unexpired) one to use, then either change the client's configuration to use the same certificate as is configured for the Identity, or update the Identity by uploading into it the digital certificate that is configured in the client.
- If the client is connecting to an old DPM node, shutdown that node, and/or adjust load balancer or client configuration to ensure the client only attempts to connect to live DPM node(s) in the cluster.
Related Articles
Principal Not Found error in RSA Authentication Manager Bulk Administration (AMBA) Number of Views Refresh the Node Secret Number of Views Authentication Manager 8.x: error: 'Processing aborted. com.rsa.authmgr.internal.protocol.ace.AgentNotFoundException: Agen… Number of Views Data Purging fails with ORA-02292: integrity constraint (AVUSER.FK_AFX_REQUEST_CHANGE_ITEM_ID) violated - child record fou… Number of Views How to find your Customer ID (Site ID) within the myRSA website Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
