AA Domain Key Expired

book

Article ID: 142334

calendar_today

Updated On:

Products

CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Strong Authentication CA Rapid App Security CA Risk Authentication CA Advanced Authentication

Issue/Introduction

The following footprints are found in the arcotwebfort.log and the authentication fails due to the fact the Domain Key has expired

ArWFCacheException.  : Response Code: [5601] Reason Code: [6104] Detail: [ArWFDomainKeyConfigurationCache::getDomainKeyCrypter::Requested crypter is expired!. CfgName : [DefaultKeySym]]

The issue (authentication failures) is  happening because the Domain Key related to ArcotID Credentials has  expired, we can validate that by looking into the below Admin UI configuration screen -

1. Login to Admin Console with Global Admin privilege
2. Go to Services and Server configurations tab
3. Strong Authentication tab
4. Credential Key management and look for the validity end date of the default Domain key.



Cause

AA Credential Management key has expired. 

Environment

Release : 9.0. and 8.x

Component : AuthMinder(Arcot WebFort)

Resolution

The issue is happening because the Domain Key in ArcotID Crednetial is expired, we can validate that by looking into the below configuration -

1. Login to Admin Console with Global Admin privilege
2. Go to Services and Server configurations tab
3. Strong Authentication tab
4. Credential Key management and look for the validity end date of the default Domain key (in the Admin UI  screen shot below 12/22/2019). Make note of this date. The screen shot below shows validity expired on 12/22/2019 and note this key is marked with status as "Expired".

Apply Work Around if Issue Identified -

1. Go to Strong Auth database and look for table ARWFORGCONFIG
2. Look for CONFIGIDSTR value as DEFAULTKEYSYM and CONFIGNAME as DefaultKeySym
3. Note the value of CONFIGID from above output.
4. Look for the value of CONFIGID in ARWFCONFIG table.
5. Increase the CONFIGVALUESTR for validity end date (will be obvious as we noted the expired validity end date as say in our example above as 12/22/2019) by setting this date to a date in future. 

6. Restart the services.

Additional Information

This is strictly a guiding example for the workaround (with screen shots).

  1. Login as a Global Admin and then navigate to the “Services and Server Configuration” followed by “Strong Authentication” tab to get to the screen as shown below. Note down the “Validity End” as in this example 12/26/2019 04:12:40 (GMT-12:00)

 

2. Go to Strong Auth database and look for table ARWFORGCONFIG. Note down the “CONFIGID” where CONFIGCONTEXT is “DOMAIN_KEY” and CONFIGIDSTR value as DEFAULTKEYSYM and CONFIGNAME as DefaultKeySym. In this example “CONFIGID” is 1018.

 

3. Look for the value of CONFIGID (in this example “1018”) in ARWFCONFIG table and the expired date as in this example “12/26/2019” (in column CONFIGVALUESTR). This is the row we will be updating to extend the validity of the expired Domain Key

4. Increase the validity end date by updating this row in ARWFCONFIG table as shown below where we are extending the validity end to year 2039. The update query for this specific example  is as follows:

UPDATE ARWFCONFIG SET CONFIGVALUESTR = '12/26/2039/16/12/40/000' WHERE CONFIGID='1018' and CONFIGPARAMID='385'; 

 

4. Restart the services.

Attachments