This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

"Token error" in aserver.log and "Discarding still valid key" error in dispatcher.log

Article Number

000029699

Applies To

RSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
Platform: Windows
Platform (Other): null
O/S Version: Customer doesn't know/not sure-see notes
Product Name: null
Product Description: null

Issue

The following error occurs in the aserver.log

'sequence_number=43,2014-07-10 11:49:00:352 EDT,messageID=1031,user=user1,client_ip_address=10.10.10.25,client_port=58600,browser_ip_address=10.10.10.26,result_code=0,result_action=User Token Failed,result_reason=Token error'

The following error occurs in the dispatcher.log

sequence_number=XX,date=xxxx-xx-xx xx:xx:xx:xxx PST,messageID=-2,event_type=Internal Error,event_description=Discarding still valid key because MAX_NUM_KEYS threshold (15) has been exceeded.

Cause

Token errors can occur for a variety of reasons and will occur nominally due to clients submitting outdated cookies.   If token errors are also associated with the error message "Discarding still valid key because" then their is a problem with the keyserver configuration. 

This error occurs if the ratio of key generation and key lifetime is not set according to the recommendations in the keyserver.conf file.  The keyserver can only store a maximum of 15 keys and if the number of stored keys exceeds this value still valid keys may be discarded.  This is a fatal condition and the keyserver.conf file must be changed.

 

Resolution

Ensure that the ratio of token_lifetime to session_key_life is exactly 2:1  (Note the documentation says the values should be "at least" twice but the recommendation is to set them exactly to twice.   In most situations we recommend using the default values.  
  
# Sets the allowable idle time for a given single sign-on token.
# This setting determines how long the Key Server must hold on to
# keys that are no longer used for encryption but still are valid
# for decryption.
#
# Allowed Values:
#   Any positive integer followed by a space and one of the following
#   time identifiers: hour | mins | secs.
#
# Default Value:
#   1 hour
#
# Dependencies:
#   The value set here should be greater than the sum of .idle_timeout
#   and .post_url_idle_ timeout parameters in the webagent.conf file of
#   RSA Access Manager Agents. It must also be set to at least twice the 
#   value of .session_key_life in order to prevent possible token 
#   decryption failure.
#
#   The value set here should match the value set for 
#   cleartrust.aserver.logoff.session_expiration_time in aserver.conf
#
cleartrust.keyserver.token_lifetime=1 hour

# Specifies how long a session key is valid for encrypting new
# single sign-on (SSO) tokens.
#
# Allowed Values:
#   Any positive integer followed by a space and one of the following
#   time identifiers: hour | mins | secs.
#
# Default Value:
#   30 mins
#
# Dependencies:
#   See the description of .token_lifetime.
#
cleartrust.keyserver.session_key_life=30 mins
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 08:27 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.