Security token file expires and is unable to connect to a secure metaspace.

Security token file expires and is unable to connect to a secure metaspace.

book

Article ID: KB0093993

calendar_today

Updated On:

Products Versions
TIBCO ActiveSpaces -
Not Applicable -

Description

Description:
When a token file expires, applications are unable to connect to a metaspace and will log the following exception in as-agent (manager or discovery as-agents log files).


2016-05-04 09:46:32.864 ERROR ActiveSpaces Metaspace Manager - Could not connect to Metaspace ts: SYS_ERROR  (security_config_error - Invalid token identity: Id time validity error [/CN=Requestor-1-93BB2C4B] [valid after: Jan 21 20:31:33 2016 GMT, before: Apr 20 21:31:33 2016 GMT] at line [21])

[2016-05-06T11:49:31.307][12079][1088448832][ERROR][transport][Tcp.cpp:565][select] [unhandled_exception]

<Exception>


1). Domain.cpp: 407: checkTrusted: untrusted_credential - Untrusted identity [/CN=REQUESTOR-D34095B5]
2). Controller.cpp: 460: checkTrusted
3). TcpListenSocket.cpp: 214: accept
</Exception>

If you try to validate the token, you will see the following exception.


as-admin> validate token_file "token.txt"

Token password:xxxxxx

SYS_ERROR (action_failed -

    Failed Command: validate token_file "token.txt"

    Cause: security_config_error

    Message: Invalid token identity: Id time validity error [/CN=Requestor-1-93BB2C4B] [valid after: Jan 21 20:31:33 2016 GMT, before: Apr 20 21:31:33 2016 GMT] at line [21]
)




Resolution

Steps to follow.


Case 1: transport_access is "false" in the policy file.

  1. Create a new token file from the policy file.
  2. If transport_access is "false" in policy file.
  3. Validate token file from as-admin.
  4. Connect applications using the new token file.

Case 2: transport_access is "true" in the policy file and cert_file. 

  1. Create a new token file from the policy file.
  2. If transport_access is "true" in policy, the file cert_file used.
  3. Validate the token file from as-admin.
  4. Refer to "https://docs.tibco.com/pub/activespaces/2.1.6/doc/pdf/tib_activespaces_developer.pdf", specifically the "Restricting Transport Access" section.
  5. Remove the expired public certificate from the trusted certificate.
  6. Copy and paste the public certificate from the security token file into the trusted certificates file. The public certificate is in the security token file between and including:
  7. -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE----
  8. Save the trusted certificates file.
  9. Start an as-agent security domain controller using the security policy file name when connecting to the metaspace.
  10. Connect applications using the new token file.

Issue/Introduction

Security token file expires and is unable to connect to a secure metaspace.

Additional Information

Refer "https://docs.tibco.com/pub/activespaces/2.1.6/doc/pdf/tib_activespaces_developer.pdf"  Restricting Transport Access section
Powered by Wolken Software