Multiple Remote AFX Server Failures caused by 'Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same' after upgrading to version 7.2.0 of RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2020-08-14
Article Number
000043843
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0
 
Issue
Multiple Remote AFX Server failures may occur after upgrading to RSA Identity Governance & Lifecycle 7.2.0.

SYMPTOMS:
  1. Remote AFX Servers go into a Not Running state in the user interface (AFX > Servers).
  2. Download Server Archive for Remote AFX Servers fails to download (AFX > Servers > {AFX Server name} > Download Server Archive). The AFX tab may become inaccessible after such an attempt.
  3. When attempting to create a remote AFX Server (AFX > Servers > Create Server), the Server definition cannot be saved and the remote AFX Server cannot be created.
 
User-added image

Clicking OK to save the definition results in the following error:
 
Unable to save Server
 
User-added image


In all these cases, the common denominator is the following error logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log):
 
03/27/2019 05:36:48.196 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.197 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.200 ERROR (default task-38) [com.aveksa.afx.server.service.AFXServerAgentServiceProvider]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.205 ERROR (default task-38) [com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData]
com.aveksa.server.db.PersistenceException:
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
  at com.aveksa.afx.server.service.AFXServerAgentServiceProvider.createServerAgent(AFXServerAgentServiceProvider.java:185)
  at com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData.handleSubmit(BaseEditServerAgentPageData.java:101)
  at com.aveksa.afx.ui.pages.agent.edit.CreateServerAgentPageData.handleSubmit(CreateServerAgentPageData.java:30)
  at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
  at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:605)
  at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
  at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
  at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:186)
  at com.aveksa.gui.core.MainManager.doGet(MainManager.java:130)
  at com.aveksa.gui.core.MainManager.doPost(MainManager.java:428)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
  at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
  at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:62)
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
  at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
  at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
  at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
  at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
  at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
  at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)

 
Cause
Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. See RSA Knowledge Base Article 000039236 -- Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle for more information.

This issue occurs after an RSA Identity Governance & Lifecycle upgrade to version 7.2.0 from a previous version and the server and client certificates have not been regenerated.
 
Resolution
Regenerate the server and client certificates as instructed in RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.
 

Related Articles

Trending Articles

Don't see what you're looking for?