Remote Agent fails to start with 'Could not load certificate' error in RSA Identity Governance & Lifecycle
Originally Published: 2017-01-26
Article Number
Applies To
RSA Version/Condition: 6.x, 7.0.x, 7.1.x, 7.2.x
Issue
INFO [com.aveksa.server.certificates.CertificateManager]
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)
Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate: $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database. ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException: Server has no Certificate of Authority.
Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US. Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226) at com.aveksa.AgentServlet.doPost(AgentServlet.java:99) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:701)
Cause
Resolution
For steps to do this, please see RSA Knowledge Base Article 000038314 -- How to update the root (server) and client certificates in RSA Identity Governance & Lifecycle.
Notes
Related Articles
Enable On-Demand Authentication for a User Number of Views Disable On-Demand Authentication for a User Number of Views How to update the HXTT Text JDBC Driver in RSA Identity Governance & Lifecycle Number of Views How to customize the application using customizeACM.sh in RSA Identity Governance & Lifecycle Number of Views On-Demand Authentication Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
