healthCheck.do returns 'Get Key Error: 20010' and key-manager.log shows 'ClientID and Identity doesnot match'
Originally Published: 2011-01-10
Article Number
Applies To
Issue
B) When accessing health check monitoring URL (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12') on a web browser, the following page is shown:
0 Using init config file /tmp/16875.497.test_init.cfg Using service config file config/test_svc.cfg ########################################### ############################ Retrieving key via key class ######## ########################################################## ##### bin/get_key_by_class/get_key_by_class -init_file /tmp/16875.497.test_init.cfg -svc_file config/test_svc.cfg -key_class "healthcheck_keyclass" Getting key by Key Class healthcheck_keyclass... ERROR: R_KM_KEY_get_by_class by Key Class healthcheck_keyclass returned 20010 Get Key Error: 20010 DONE: 0
C) RKM Server logs, key-manager.log, shows the following corresponding exception:
2011-01-07 09:34:27,147 ERROR TP-Processor11 com.rsa.keymanager.server.shampoo.skeleton.KeyManagerShampooErrorHandler - NO LOG MESSAGE au.net.netstorm.boost.primordial.PrimordialException: ClientID and Identity doesnot match at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.checkIdentity(DefaultClientRequestHandler.java:143) at com.rsa.keymanager.server.api.crow.adapter.DefaultClientRequestHandler.getIdentityPolicy(DefaultClientRequestHandler.java:147) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.edge.java.lang.reflect.DefaultEdgeMethod.invoke(DefaultEdgeMethod.java:11) at com.rsa.shampoo.skeleton.DefaultSkeleton.downCall(DefaultSkeleton.java:72) at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:46) at com.rsa.shampoo.skeleton.DefaultSkeleton.call(DefaultSkeleton.java:40) at com.rsa.shampoo.skeleton.DefaultErrorSkeleton.call(DefaultErrorSkeleton.java:21) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:41) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.doCall(DefaultShampooSkeleton.java:36) at com.rsa.shampoo.skeleton.DefaultShampooSkeleton.call(DefaultShampooSkeleton.java:30) at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.processRequest(DefaultRpcRequestHandler.java:28) at com.rsa.keymanager.server.transport.core.request.DefaultRpcRequestHandler.handle(DefaultRpcRequestHandler.java:22) at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.get(ShampooServlet.java:24) at com.rsa.keymanager.server.transport.core.servlet.ShampooServlet.post(ShampooServlet.java:20) at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:75) at com.rsa.keymanager.server.transport.core.servlet.EdgifierServlet.doPost(EdgifierServlet.java:55) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.auth.z.IdentityStampLayer.invoke(IdentityStampLayer.java:31) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.auth.z.PersonalityLayer.invoke(PersonalityLayer.java:53) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.call(AuthenticationServletFilter.java:71) at com.rsa.keymanager.server.transport.core.filter.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:55) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at com.rsa.keymanager.server.transport.core.filter.ServerAccessibilityFilter.doFilter(ServerAccessibilityFilter.java:29) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at edge.javax.servlet.DefaultFilterChain.doFilter(DefaultFilterChain.java:25) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.TransactionLayer.invoke(TransactionLayer.java:32) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:36) at com.rsa.keymanager.core.entry.CacheLayer.invoke(CacheLayer.java:30) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.RequestStampLayer.invoke(RequestStampLayer.java:30) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.FrozenClockLayer.invoke(FrozenClockLayer.java:33) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at sun.reflect.GeneratedMethodAccessor75.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at au.net.netstorm.boost.nursery.proxy.DefaultMethod.invoke(DefaultMethod.java:26) at com.rsa.keymanager.core.entry.ThreadLocalGlobalsLayer.invoke(ThreadLocalGlobalsLayer.java:27) at au.net.netstorm.boost.util.proxy.LayerInvocationHandler.invoke(LayerInvocationHandler.java:20) at $Proxy7.doFilter(Unknown Source) at com.rsa.keymanager.server.transport.core.filter.EntryFilter.doFilter(EntryFilter.java:27) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.doFilter(DefaultFilterAdaptor.java:58) at com.rsa.keymanager.server.transport.core.filter.DefaultFilterAdaptor.filter(DefaultFilterAdaptor.java:42) at com.rsa.keymanager.server.transport.core.filter.EdgifierFilter.doFilter(EdgifierFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619)
D) Client application name (client.app_name) and id (client.app_id) in the RKM Client registration file (/opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg) used by healthCheck did not exist or could not be located on RKM Server GUI (/KMS).
Contents of test_appreg.cfg looked like the following (notice the lines in red for client.app_name and client.app_id):
client.policy_signature = L3i5XrUb5f2mxWQL2BtZlYSS7eHwRjqC3piwaapZvCRPZbvAoQmA/dCaSiZ2PpFUK8TEdGqkLYSArWGOKcoVRt10Eq6oMGO5PmTB3w3c72wj9ewBvkFk/dLtZB8H8FBLSgfR3Htk8OIrpEjkGcaRSgpN6AZigG/dVYOwISlcQG4= client.applicationpolicy = 000102030405060708091011 client.rkm_svr_public_key = MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgXACydRqPnPZVO0LE/23Lsgq6FihvSfnmVHab62uVnCqmg+3VZdwC9whx+8IdtXQ0nitKjVqbHPAeFVbuEzLNzNy7boWkZZQ1iiUDrVOPVYFqfKWcehIJ1uoxRcMeNMYDp3vwPPj4KB4x8VuAONhMZP0YzpKrTPwyF5hfx5wwiwIDAQAB client.app_name = RKMDemorkm.appliance.net2010:12:22:16:10:13 client.actmgmt_enable = 0 client.registration_state = 3 client.actmgmt_poll_interval = 0 client.app_id = 05cf24e3-c01e-4676-9b73-b0e6c35e652d-559a7cba-20b7-4021-8a02-b2429e9ded80 client.policy_name = DEFAULT_POLICY
Cause
One change was made to the environment: A previous certificate used with healthCheck.do had expired and a new certificate was issued and configured with healthCheck.do (for more details, see solution RKM Appliance health check monitoring URL healthCheck.do returns 'Get Key Error: 10039').
Resolution
1. Stop Apache web server so no RKM requests (especially healthCheck.do requests) are responded to while this issue is being fixed:
service httpd stop
2. Make a backup of the existing file /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
3. Use vi to edit test_appreg.cfg:
vi /opt/rsa/rkm-client/RSA_Key_Manager_Client/2.5.0.2/rhas40/samples/config/test_appreg.cfg
4. Edit test_appreg.cfg so that it has the following contents (note that client.app_name must get a unique value, updating date/time stamp is one way to do so):
client.app_name = RKMDemorkm.appliance.net2011:01:07:14:50:13 client.actmgmt_enable = 0 client.registration_state = 0 client.actmgmt_poll_interval = 0
5. Ensure that the PKCS#12 (e.g., client.p12 in the above example) is the correct one and properly configured on RKM Server GUI (/KMS)
6. Start Apache web server:
service httpd start
7. Test by accessing the health check URL in a browser (e.g., https://rkm.appliance.net/rkmawa/healthCheck.do?keyclass='healthcheck_keyclass'&rootca='/opt/CA/demoCA/certs/rootca.cer'&client='/opt/CA/demoCA/certs/client.p12')
8. A successful healthCheck transaction should be reflected by:
(a) successful get key on browser,
(b) test_appreg.cfg updated with client.app_id and other parameters, and
(c) a client record created on RKM Server and viewable via Clients tab
Notes
Related Articles
'Certificate already exists' error when auto-enrolling clients Number of Views Duplicate groups are shown for a user in RSA Identity Governance & Lifecycle Number of Views Weak Certificate Signature Hashing Algorithm on TCP ports 5550 & 5580, CVE-2004-2761, CVE-2005-4900 Number of Views RSA Authentication Manager 8.2 SP1 Dell Hardware Appliance Getting Started Number of Views Unable to check Database. java.lang.SecurityException: PBOX000016: Access denied: authentication failed Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
