KeyMaster messages in Liberator’s event log
The following messages relating to KeyMaster authentication can appear in the Liberator event log file (var/event-rttpd.log
):
- INFO: Token <[token]> is validated for <[key_id]> testkey
-
The specified user credentials token called
[token]
has been successfully validated. - NOTIFY: Signature expired for key_id [key id] - [timestamp] denying login
-
A KeyMaster token’s timestamp is older than the number of seconds specified in the
signature-validtime
config item or thetimeout
option of theadd-sigkey
configuration item inrttpd.conf
.Make sure that clock on the server running the Liberator is synchronised with the clock on the server where KeyMaster Signature Generator is running. If the clocks on these two servers are set to different times, the Liberator may falsely decide that a user credentials token has expired (it is likely to reject all user credentials tokens for this reason).
- ERROR: Cannot load keyfile <[filename]>
-
The DER format public key file called
[filename]
, specified inrttpd.conf
, is missing, corrupt or in the wrong format.Check that the key file configuration is specified correctly in
rttpd.conf
. Look at thekey-id
configuration option in theadd-sigkey
item group. - ERROR: Could not find key_id [key id]
-
When the Auth Module asked for a check on a user credentials token, the
key-id
was found to be unknown.Check that the
key-id
options match betweenrttpd.conf
and the Auth Module configuration file (for example theusers.xml
file). Look inrttpd.conf
at thekey-id
configuration item in theadd-sigkey
item group; inusers.xml
look at thesigkey-id
attribute for each<USER>
tag. - ERROR: Malformed token <[KeyMaster token]> for key_id [key id]
-
The user credentials token provided to the Liberator is in the wrong format. In Standard KeyMaster it has the following format:
<base64 encoded signature><timestamp><sequence number>
- ERROR: Token verification failed for key_id [key id] <[token]>
-
The user credentials token failed to verify upon decryption. Either the key used to decrypt the signature does not match the key that KeyMaster used to encrypt it, or the token has been tampered with or corrupted in some way.
- ERROR: Malformed timestamp for key_id [key id] <[token]>
-
The timestamp in the user credentials token is badly formed. It should have the format
YYYYMMDDHHMMSS
(for example,20050126122011
). - ERROR: Token [token] has already logged in for key_id [key id]
-
The user credentials token has already been used; a token can only be used once.
- CRITICAL: Could not locate key file <etc/publickey1.der> for add-sigkey/key-id < testkey >
-
The entry in the
rttpd.conf
file for the public key could not be mapped to a DER public key file in the specified (or default) directory. Either therttpd.conf
entry is invalid, or the key file is missing.Look in
rttpd.conf
at thekeyfile
configuration item in theadd-sigkey
item group. Check that the specified name and directory of the DER public key file match the name and location of the actual file.Check that the key file is actually present in the specified location.
The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it). - CRITICAL: No keyfile defined for add-sigkey/key-id < testkey >
-
The entry in the
rttpd.conf
file for the public key does not specify a key file.Look in
rttpd.conf
at theadd-sigkey
configuration item group; make sure that there is akeyfile
configuration item in this group (see Modifying the Liberator configuration file ).The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it). - CRITICAL: No key-id for an add-sigkey configuration group
-
The entry in the
rttpd.conf
file for the public key does not specify a key id.Look in
rttpd.conf
at theadd-sigkey
configuration item group; make sure that there is akey-id
configuration item in this group (see Modifying the Liberator configuration file ).The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it). - ERROR: 4012903328:error:0407006A: rsa routines: RSA_padding_check_PKCS1_type_1: block type is not 01:rsa_pk1.c:100: ERROR:4012903328:error:04067072: rsa routines: RSA_EAY_PUBLIC_DECRYPT: padding check failed: rsa_eay.c:699: ERROR: Token verification failed for key_id <testkey>
-
The public / private key token verification has failed.
Verify that the private and public keys used in KeyMaster and the Liberator Auth Module are valid.
Check that the
publickey.der
file referenced in therttpd.conf add-sigkey
configuration item group is not corrupt. This is a binary file which can be corrupted if it is transferred via ftp in ASCII mode.