SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000039237
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0
RSA Version/Condition: 7.2.0
Issue
Multiple Remote AFX Server failures may occur after upgrading to RSA Identity Governance & Lifecycle 7.2.0.
SYMPTOMS:
Image description
Clicking OK to save the definition results in the following error:
Image description
In all these cases, the common denominator is the following error logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log😞
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
SYMPTOMS:
- Remote AFX Servers go into a Not Running state in the user interface (AFX > Servers).
- Download Server Archive for Remote AFX Servers fails to download (AFX > Servers > {AFX Server name} > Download Server Archive). The AFX tab may become inaccessible after such an attempt.
- When attempting to create a remote AFX Server (AFX > Servers > Create Server), the Server definition cannot be saved and the remote AFX Server cannot be created.
Image descriptionClicking OK to save the definition results in the following error:
Unable to save Server
Image descriptionIn all these cases, the common denominator is the following error logged to the aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log😞
03/27/2019 05:36:48.196 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.197 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.200 ERROR (default task-38) [com.aveksa.afx.server.service.AFXServerAgentServiceProvider]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.205 ERROR (default task-38) [com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData]
com.aveksa.server.db.PersistenceException:
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
at com.aveksa.afx.server.service.AFXServerAgentServiceProvider.createServerAgent(AFXServerAgentServiceProvider.java:185)
at com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData.handleSubmit(BaseEditServerAgentPageData.java:101)
at com.aveksa.afx.ui.pages.agent.edit.CreateServerAgentPageData.handleSubmit(CreateServerAgentPageData.java:30)
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:605)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:186)
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:130)
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:428)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:62)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.197 ERROR (default task-38) [com.aveksa.server.certificates.CertificateManager]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.200 ERROR (default task-38) [com.aveksa.afx.server.service.AFXServerAgentServiceProvider]
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
03/27/2019 05:36:48.205 ERROR (default task-38) [com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData]
com.aveksa.server.db.PersistenceException:
Issuer key identifier for the subject and the Subject key identifier for the issuer must be the same
at com.aveksa.afx.server.service.AFXServerAgentServiceProvider.createServerAgent(AFXServerAgentServiceProvider.java:185)
at com.aveksa.afx.ui.pages.agent.edit.BaseEditServerAgentPageData.handleSubmit(BaseEditServerAgentPageData.java:101)
at com.aveksa.afx.ui.pages.agent.edit.CreateServerAgentPageData.handleSubmit(CreateServerAgentPageData.java:30)
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:605)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:186)
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:130)
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:428)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:62)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Cause
Starting with RSA Identity Governance & Lifecycle 7.2.0, Root (Server) and Client Certificates are now RFC-5280 compliant. See RSA Knowledge Base Article 000039236 -- Root (Server) and Client Certificates are RFC-5280 compliant starting in version 7.2.0 of RSA Identity Governance & Lifecycle for more information.
This issue occurs after an RSA Identity Governance & Lifecycle upgrade to version 7.2.0 from a previous version and the server and client certificates have not been regenerated.
This issue occurs after an RSA Identity Governance & Lifecycle upgrade to version 7.2.0 from a previous version and the server and client certificates have not been regenerated.
Resolution
Regenerate the server and client certificates as instructed in RSA Knowledge Base Article 000038314 -- How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.
In this article
