Remote Agent fails to start with 'Could not load certificate' error in RSA Identity Governance & Lifecycle
Originally Published: 2017-01-26
Article Number
Applies To
RSA Version/Condition: 6.x, 7.0.x, 7.1.x, 7.2.x
Issue
INFO [com.aveksa.server.certificates.CertificateManager]
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)
Cause
Resolution
For steps to do this, please see RSA Knowledge Base Article 000038314 -- How to update the root (server) and client certificates in RSA Identity Governance & Lifecycle.
Notes
Related Articles
How to update the HXTT Text JDBC Driver in RSA Identity Governance & Lifecycle Number of Views Enable On-Demand Authentication for a User Number of Views How to customize the application using customizeACM.sh in RSA Identity Governance & Lifecycle Number of Views Disable On-Demand Authentication for a User Number of Views Unable To Rename Directory When Upgrading To Envision 4.0.0 Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
