Article Number
000045111
Applies To
RSA Product Set: RSA SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
When end users try to import an RSA SecurID software token to their device using CT-KIP, the import fails. The end user sees the following error:
Token import failed. Verify that the information entered is correct or contact your administrator.
The System Activity Monitor shows the following errors while trying to import the token:
Administrator “SYSTEM” attempted to execute command “com.rsa.authmgr.internal.ctkip.command.ProcessCTKIPClientRequestCommand”
<EJB exception occurred during invocation from home or business: com.rsa.command.CommandServerEjb30_vraifm_Intf generated exception: com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: com.rsa.common.SystemException: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.common.SystemException:
com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort
Caused by: com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT_KIP clientNonceRequest com.rsa.authmgr.internal.ctkip.common.CTKIPServiceFailureException: Failed to process CT-KIP clientNonceRequest. Status code = Abort>
Cause
When a customer requests an updated replacement license for Authentication, typically to replace the original sdti.cer certificate that expired in Nov. 2017, or any other reason, the The newer License.zip file has an issue during deployment of the primary where the defaultRSAToolbar certificate and key pair in this license .zip file is not parsed out and imported into the proper key store on Authentication. This results in the CTKip failures. This KB explains how to manually import the files needed to correctly import software tokens with CTKip.
Resolution
- Download a new copy of your RSA Authentication Manager license from https://my.rsa.com/. Follow steps in 000038632 - Downloading RSA Authentication Manager license files or RSA Software token seed records.
Since all of the license files available on myRSA have been updated, it is a requirement to download the new license, even if you have an old copy of the license files stored locally.
- Create a Backup Using Back Up Now.
- Enable SSH on the primary RSA Authentication Manager server.
- Using WinSCP, copy the defaultRSAToolbar.cer and defaultRSAToolbar.key from the newly downloaded license to /tmp on the primary RSA Authentication Manager server.
- Launch an SSH client, such as PuTTY.
- Log in to the primary RSA Authentication Manager server as rsaadmin and enter the operating system password.
During Quick Setup another username may have been selected. Use that username to log in.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Mon Apr 20 16:39:41 2020 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
- Get the database password. The password string is different for each deployment of RSA Authentication Manager.
rsaadmin@primary:> /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password> com.rsa.db.dba.password: u2Z8iMYLWmaT2hgdIdNUjBLFKiMnJw
- Capture the com.rsa.db.dba.password in the output above, then use it to access the database:
rsaadmin@primary:> /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password from above>
- Run the following SQL statement:
DELETE FROM rsa_rep.ims_config_value WHERE name LIKE '%ctkip.service.keystore%';
- Exit the database by typing \q, then run the following commands:
rsaadmin@primary:> cd /opt/rsa/am/utils
rsaadmin@primary:> ./rsautil install-ctkip-keystore -l /tmp -k defaultRSAToolbar.key -c defaultRSAToolbar.cer
- Restart the RSA Authentication Manager services:
rsaadmin@primary:> cd /opt/rsa/am/server
rsaadmin@primary:> ./rsaserv restart all