verify tool fails to validate keys with error 'KMS Server connection failed : Certificate unknown'
Originally Published: 2011-09-12
Article Number
Applies To
RSA Key Manager Client 1.5.x
RSA Key Manager Server Migration Utility 2.7.1.1
Issue
How to include the correct CA certificate for trust in an existing PKCS#12
RKM Server Migration Utility's verify tool fails to verify keys with error "KMS Server connection failed : Certificate unknown" due to not trusting RKM Server webserver(s) certificate(s).
The following error is logged in migrate.log:
2011-09-12 17:34:24,467 INFO main - NO LOG MESSAGE
com.rsa.keymanager.sandpiper.engine.verify.KeyNotObtainedException: Cannot obtain a key from server for Key Class [mykeyclass Key Id [1234567890].
at com.rsa.keymanager.sandpiper.engine.verify.LegacyCryptoMaster.getKey(LegacyCryptoMaster.java:58)
at com.rsa.keymanager.sandpiper.engine.verify.LegacyCryptoMaster.encrypt(LegacyCryptoMaster.java:29)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultXRayMachine.encrypt(DefaultXRayMachine.java:76)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultXRayMachine.canEncrypt(DefaultXRayMachine.java:26)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.verify(DefaultAirTrafficController.java:83)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.checkPaper(DefaultAirTrafficController.java:59)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.checkPapers(DefaultAirTrafficController.java:51)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.verify(DefaultAirTrafficController.java:42)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultVerificationRunner.go(DefaultVerificationRunner.java:16)
at com.rsa.keymanager.sandpiper.engine.main.DefaultMasterRunner.doRun(DefaultMasterRunner.java:34)
at com.rsa.keymanager.sandpiper.engine.main.DefaultMasterRunner.run(DefaultMasterRunner.java:24)
at com.rsa.keymanager.sandpiper.engine.migrate.DefaultSandpiper.run(DefaultSandpiper.java:46)
at com.rsa.keymanager.sandpiper.engine.migrate.DefaultSandpiper.launch(DefaultSandpiper.java:24)
at com.rsa.keymanager.sandpiper.engine.main.Main.main(Main.java:48)
Caused by: edge.com.rsa.kmclient.KMSException: com.rsa.kmclient.KMSException: Unable to get a vaild key from KMS Server: Unable to connect to KMS Server after 3 retries : KMS Server connection failed : Certificate unknown
at edge.com.rsa.kmclient.DefaultKMClient.getKey(DefaultKMClient.java:31)
at com.rsa.keymanager.sandpiper.engine.verify.DefaultLegacyKeyManagerClient.getKey(DefaultLegacyKeyManagerClient.java:26)
at com.rsa.keymanager.sandpiper.engine.verify.LegacyCryptoMaster.getKey(LegacyCryptoMaster.java:54)
... 13 more
Caused by: com.rsa.kmclient.KMSException: Unable to get a vaild key from KMS Server: Unable to connect to KMS Server after 3 retries : KMS Server connection failed : Certificate unknown
at com.rsa.kmclient.KMClient.getKey(Unknown Source)
at edge.com.rsa.kmclient.DefaultKMClient.getKey(DefaultKMClient.java:28)
... 15 more
2011-09-12 17:34:24,469 INFO main - Client : Internal, Failed to verify Key Id '1234567890' in Key Class 'mykeyclass
Cause
Notes:
- The verify tool uses RKM Client 1.5.x for validating keys when migrating from RKM Server version 2.0.x.
- RKM Client 1.5.x can only use a single CA certificate even if there are multiple CA certificates in the PKCS#12, and the CA certificate in the PKCS#12 must be the issuing CA certificate that signed the RKM Server webserver SSL server certificate.
Resolution
1. Save the two CA certificates that signed the two webserver SSL server certificates (for old RKM Server and migrated/new RKM Server) into two separate files in PEM format. Say the two files are RootCAold.pem and RootCAnew.pem corresponding to the two CA certificates.
2. Use OPENSSL to dump ONLY the client certificate and key from the existing PKCS#12 to a temp file (use the original password for p12 on all prompts):
C:\...\OpenSSL>openssl pkcs12 -clcerts -in RKMClientCertKey.p12 -out RKMClientCertKeyONLY.pem
3. Use OPENSSL to create a new PKCS#12 (RKMClientCertKeySource.p12) containing the client certificate/key and the old RKM Server's CA certificate (RootCAold.pem)... use the original password for p12 on all prompt:
C:\...\OpenSSL> openssl pkcs12 -export -in RKMClientCertKeyONLY.pem -out RKMClientCertKeySource.p12 -certfile RootCAold.pem
4. Similar to the previous step, use OPENSSL to create another PKCS#12 (RKMClientCertKeyTarget.p12) containing the client certificate/key and the new RKM Server's CA certificate (RootCAnew.pem)... use the original password for p12 on all prompt:
C:\...\OpenSSL> openssl pkcs12 -export -in RKMClientCertKeyONLY.pem -out RKMClientCertKeyTarget.p12 -certfile RootCAnew.pem
5. Update input/source.cfg and configure kms.sslPKCS12File to point to RKMClientCertKeySource.p12 (this file contains the client cert/key and only RootCAold.pem)
6. Similarly update input/target.cfg and configure kms.sslPKCS12File to point to RKMClientCertKeyTarget.p12 (this file contains the client cert/key and only RootCAnew.pem)
7. Run the verify tool again, it should successfully validate the keys as HTTPS connection to both old and new RKM Servers should be successful.
Notes
Related Articles
Support for CLOB and BLOB variables in Workpoint SQL Nodes added in version 7.0.1 with the new Workflow Editor in RSA Iden… Number of Views How to validate an installation or restored database in RSA Identity Governance & Lifecycle Number of Views IIS command line syntax specifications Number of Views Validate connection for Oracle Scanning - ORA - 12541 error Number of Views RSA Federated Identity Manager "failed to validate signature value" error Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
