healthCheck.do returns 'Get Key Error: 20010' and key-manager.log shows 'ClientID and Identity doesnot match'
Originally Published: 2011-01-10
Article Number
Applies To
Issue
B) When accessing health check monitoring URL (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12') on a web browser, the following page is shown:
0 Using init config file /tmp/16875.497.test_init.cfg Using service config file config/test_svc.cfg ########################################### ############################ Retrieving key via key class ######## ########################################################## ##### bin/get_key_by_class/get_key_by_class -init_file /tmp/16875.497.test_init.cfg -svc_file config/test_svc.cfg -key_class "healthcheck_keyclass" Getting key by Key Class healthcheck_keyclass... ERROR: R_KM_KEY_get_by_class by Key Class healthcheck_keyclass returned 20010 Get Key Error: 20010 DONE: 0
C) RKM Server logs, key-manager.log, shows the following corresponding exception:
2011-01-07 09:34:27,147 ERROR TP-Processor11 com.rsa.keymanager.server.shampoo.skeleton.KeyManagerShampooErrorHandler - NO LOG MESSAGE au.net.netstorm.boost.primordial.PrimordialException: ClientID and Identity doesnot match at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.checkIdentity(DefaultClientRequestHandler.java:143) at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.getIdentityPolicy(DefaultClientRequestHandler.java:147) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.edge.java.lang.reflect.DefaultEdgeMethod.invoke(DefaultEdgeMethod.java:11) at com.rsa.shampoo.skeleton.DefaultSkeleton.downCall(DefaultSkeleton.java:72) at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:46) at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:40) at com.rsa.shampoo.skeleton.DefaultErrorSkeleton.call(DefaultErrorSkeleton.java:21) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:41) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.doCall(DefaultShampooSkeleton.java:36) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:30) at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.processRequest(DefaultRpcRequestHandler.java:28) at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.handle(DefaultRpcRequestHandler.java:22) at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.get(ShampooServlet.java:24) at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.post(ShampooServlet.java:20) at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:75) at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:55) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.auth.z.IdentityStampLayer.invoke(IdentityStampLayer.java:31) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.auth.z.PersonalityLayer.invoke(PersonalityLayer.java:53) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.call(AuthenticationServletFilter.java:71) at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:55) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at com.rsa.keymanager.server.transport.core.filter.ServerAccessibilityFilter.doFilter(ServerAccessibilityFilter.java:29) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.TransactionLayer.invoke(TransactionLayer.java:32) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:36) at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:30) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.RequestStampLayer.invoke(RequestStampLayer.java:30) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.FrozenClockLayer.invoke(FrozenClockLayer.java:33) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.ThreadLocalGlobalsLayer.invoke(ThreadLocalGlobalsLayer.java:27) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at com.rsa.keymanager.server.transport.core.filter.EntryFilter.doFilter(EntryFilter.java:27) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619)
D) Client application name (client.app_name) and id (client.app_id) in the RKM Client registration file (/opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg) used by healthCheck did not exist or could not be located on RKM Server GUI (/KMS).
Contents of test_appreg.cfg looked like the following (notice the lines in red for client.app_name and client.app_id):
client.policy_signature = L3i5XrUb5f2mxWQL2BtZlYSS7eHwRjqC3piwaapZvCRPZbvAoQmA/dCaSiZ2PpFUK8TEdGqkLYSArWGOKcoVRt10Eq6oMGO5PmTB3w3c72wj9ewBvkFk/dLtZB8H8FBLSgfR3Htk8OIrpEjkGcaRSgpN6AZigG/dVYOwISlcQG4= client.applicationpolicy = 000102030405060708091011 client.rkm_svr_public_key = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgXACydRqPnPZVO0LE/23Lsgq6FihvSfnmVHab62uVnCqmg+3VZdwC9whx+8IdtXQ0nitKjVqbHPAeFVbuEzLNzNy7boWkZZQ1iiUDrVOPVYFqfKWcehIJ1uoxRcMeNMYDp3vwPPj4KB4x8VuAONhMZP0YzpKrTPwyF5hfx5wwiwIDAQAB client.app_name = RKMDemorkm.appliance.net2010:12:22:16:10:13 client.actmgmt_enable = 0 client.registration_state = 3 client.actmgmt_poll_interval = 0 client.app_id = 05cf24e3-c01e-4676-9b73-b0e6c35e652d-559a7cba-20b7-4021-8a02-b2429e9ded80 client.policy_name = DEFAULT_POLICY
Cause
One change was made to the environment: A previous certificate used with healthCheck.do had expired and a new certificate was issued and configured with healthCheck.do (for more details, see solution RKM Appliance health check monitoring URL healthCheck.do returns 'Get Key Error: 10039').
Resolution
1. Stop Apache web server so no RKM requests (especially healthCheck.do requests) are responded to while this issue is being fixed:
service httpd stop
2. Make a backup of the existing file /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
3. Use vi to edit test_appreg.cfg:
vi /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
4. Edit test_appreg.cfg so that it has the following contents (note that client.app_name must get a unique value, updating date/time stamp is one way to do so):
client.app_name = RKMDemorkm.appliance.net2011:01:07:14:50:13 client.actmgmt_enable = 0 client.registration_state = 0 client.actmgmt_poll_interval = 0
5. Ensure that the PKCS#12 (e.g., client.p12 in the above example) is the correct one and properly configured on RKM Server GUI (/KMS)
6. Start Apache web server:
service httpd start
7. Test by accessing the health check URL in a browser (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12')
8. A successful healthCheck transaction should be reflected by:
(a) successful get key on browser,
(b) test_appreg.cfg updated with client.app_id and other parameters, and
(c) a client record created on RKM Server and viewable via Clients tab
Notes
Related Articles
Error 'NoSuchPropertyException: evaluation.mode' Number of Views 'Certificate already exists' error when auto-enrolling clients Number of Views RSA SecurID Software Token Converter 3.1 Downloads Number of Views Duplicate groups are shown for a user in RSA Identity Governance & Lifecycle Number of Views RSA SecurID Software Token Converter 3.1 Release Notes Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
