How to get more verbose logs for CMP Server in RSA Certificate Manager
Originally Published: 2013-06-04
Article Number
Applies To
Certificate Management Protocol (CMP)
Issue
Detailed logging for CMP Server
Resolution
RSA_CM/CmpServer/conf/cmp.conf
Set the following parameters in cmp.conf as shown:
loglevel=3
tracedetail=high
The CMP Server logs are found in the following locations:
- RSA_CM/CmpServer/bin/cmptrace.log (if tracefile in cmp.conf is set to the default "cmptrace.log")
- /var/log/messages (syslog logfile on Linux/Solaris platforms)
- Windows Event Viewer Application logs on Windows platforms
In addition to the logs generated by RCM CMP Server, using tools such as Wireshark or tcpdump to capture network packets can be helpful in troubleshooting CMP messages (sent between CMP Client and CMP Server) at the protocol level.
For example, network packets captured by Wireshark and saved into a file, say testcapture.pcap, can be reviewed for CMP transactions as follows:
- open testcapture.pcapng file in Wireshark
- select an HTTP transaction row reflecting CMP transaction over HTTP, and right click then select decode as (HTTP)
- apply filter as CMP, it will show the CMP messages
Here's an example of what a CMP transaction may look like:
No. Time Source Destination Protocol Length Info
20 2013-05-30 10:27:18.578356 100.101.44.88 100.101.44.143 CMP 316 PKIXCMP Status=rejection Body=error
Certificate Management Protocol
header
pvno: cmp2000 (2)
sender: 4
recipient: 4
protectionAlg (PasswordBasedMac)
senderKID: 31
transactionID: 876e32d1819e9ddf
senderNonce: e99c236487e9b0f5150d03f6ee810112
recipNonce: 01000080feffffff0100008001000080
body: error (23)
error
pKIStatusInfo
status: rejection (2)
statusString: 1 item
PKIFreeText item: Response for Polling request from CA contains invalid DER encoding
Padding: 5
failInfo: 20 (badRequest)
0... .... = badAlg: False
.0.. .... = badMessageCheck: False
..1. .... = badRequest: True
...0 .... = badTime: False
.... 0... = badCertId: False
.... .0.. = badDataFormat: False
.... ..0. = wrongAuthority: False
.... ...0 = incorrectData: False
0... .... = missingTimeStamp: False
.0.. .... = badPOP: False
..0. .... = certRevoked: False
...0 .... = certConfirmed: False
.... 0... = wrongIntegrity: False
.... .0.. = badRecipientNonce: False
.... ..0. = timeNotAvailable: False
.... ...0 = unacceptedPolicy: False
0... .... = unacceptedExtension: False
.0.. .... = addInfoNotAvailable: False
..0. .... = badSenderNonce: False
...0 .... = badCertTemplate: False
.... 0... = signerNotTrusted: False
.... .0.. = transactionIdInUse: False
.... ..0. = unsupportedVersion: False
.... ...0 = notAuthorized: False
0... .... = systemUnavail: False
.0.. .... = systemFailure: False
..0. .... = duplicateCertReq: False
Padding: 0
protection: 82d1134600d67ff24f2c52a0c922dbd8ee911c40
Related Articles
What is the purpose of the Java node 'Calculate Items To Work On' in the Access Fulfilment Express (AFX) Default Fulfillme… Number of Views HTTP 401 Unauthorized occurred while changing the password in the webservice node in the workflow in RSA Governance and Li… Number of Views How to obtain more information about ORA-00060 errors in RSA Identity Lifecycle & Governance Number of Views "NoClassDefFoundError" error when attempting to run RSA Authentication Manager Bulk Administration (AMBA) Number of Views RSA Authentication Manager 8.x web tier shows session expired error Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server How to troubleshoot Oracle database ORA-04030 errors in RSA Identity Governance & Lifecycle RSA Authentication Manager Upgrade Process Microsoft SQL Server Collectors can no longer connect to the SQL Server database after upgrade to Microsoft SQL Server 201…
Don't see what you're looking for?
