RSA Key Manager Server
Microsoft Windows 2003 Server SP1
Apache Tomcat 5.5.20
RKM Server
RKM Client
The RKM Server log file (e.g. C:\Program Files\Apache Software Foundation\Tomcat 5.5\logs\key-manager.log) contains the following error when trying to retrieve a key:
com.rsa.kms.key.support.KeyProviderException: Client failed to provide certificate
or in RKM Server 2.1.2:
com.rsa.keymanager.access.certificate.DefaultCertificateIdentityEstablisher - Request does not contain a certificate.
or
com.rsa.keymanager.access.framework.AuthenticationException: The identity of the request could not be established.
When trying to retrieve key, the RKM C Client API returns
ERROR: 20010
If you are using the RKM 2.11 Java Client, running a sample (e.g. CheckConfig) gives output:
[java] Attempting to contact Key Manager Server
[java] Key Manager Server IS NOT AVAILABLE
[java] Possible reasons why the sample code is unable to access the
[java] server are:
[java] - The Key Manager server has not been started
[java] - The Key Manager server Master Password has not been entered
[java] - The Key Manager server host name or IP address in the
[java] configuration file is incorrect
[java] - The Key Manager server port number in the configuration file is
[java] incorrect
[java] - The Key Manager server certificate as configured at the client
[java] is not the correct certificate
[java] - An identity matching the client certificate has not been
[java] configured on the server
[java] - RSA Access Manager has not been correctly configured
[java] - The Web Server has not been correctly configured
RKM Java Client 1.5.x shows "Access Denied" message, e.g.
com.rsa.kmclient.KMSException: Unable to perfrom decryption : error : Unable to get a vaild key from KMS Server: Unable to get key from KMS Server : KMS Response error : KMSError from KMS Server : error : Access Denied
If you are using IIS 6:
Open IIS Manager. Under Web Sites, right-click Properties on your Default Web Site.
Click on the "Directory Security" tab -> Edit Secure Communications -> Select "Accept Client Certificate".
Click OK to close.
IIS 7:
1. Start IIS Manager (Server Manager > Roles > Web Server (IIS) > Internet Information Services)
2. Click on the Web Site
3. Double-click on SSL Settings
4. Under Client certificates, make sure that "Accept" or "Require" is selected
If you are using Apache:
Edit your httpd.conf (or httpd.d/ssl.conf), and look for SSLVerifyClient. Set it to the following:
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData
Related Articles
Require the Security Console and Self-Service Console to Provide the Same Response for Valid and Invalid Usernames Number of Views Provide an Offline Emergency Access Tokencode Number of Views Hyperlink to RSA SecurID Cloud Authentication Service IdP URL embedded in Word Doc does not work Number of Views Provide an Offline Emergency Passcode Number of Views Access Denied error without an opportunity to provide login credentials when accessing Key Manager console Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
