Versions Compared

Version Old Version 12 New Version 13
Changes made by

Petteri Kivimäki

Petteri Kivimäki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor

About Security Server Proxy Error Messages

...

Error code (type / faultCode)Error message (message / faultString)Description
Server.ClientProxy.UnknownMember


The request contains invalid client or service identifier.


Client 'SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode' not foundIn case the client is not found, the client specified in the request is not registered on the consumer side Security Server (2). More information about registering clients can be found here.

Could not find addresses for service provider 'SERVICE:instanceIdentifier/memberClass/memberCode/subsystemCode/serviceCode'In case addresses for service provider are not found, there's an error in the service identifier. Please make sure that the value ​​of the service identifier in the request is correct and corresponds to the information registered on the service provider's Security Server (3).
Server.ClientProxy.NetworkError



Could not connect to any target host ([https://<TARGET_HOST>:5500/])

The consumer side Security Server (2) is not able to establish a network connection to the provider side Security Server (3). The problem is usually caused by incorrect firewall configurations.

On the consumer side Security Server (2), outgoing traffic to the provider side Security Server's (3) ports 5500 and 5577 must be allowed. On the provider side Security Server (3), incoming traffic to ports 5500 and 5577 from the consumer side Security Server (2) must be allowed.

More information about required firewall configurations can be found in the Security Server installation guides for Ubuntu and RHEL.


Name or service not known. No address associated with hostname.DNS lookup of the provider side Security Server (3) fails, because the server is registered with a wrong public FQDN name. Contact the administrator of the provider side Security Server (3).
Server.ClientProxy.CannotCreateSignature.Signer.TokenNotActiveToken 'softToken' not activeMore information.
Server.ClientProxy.ServiceFailed.InternalError

Cause of the error, for example:

  • Invalid instance identifier: instanceIdentifier
Processing the request failed because of an internal error on the consumer side Security Server (2). Check the proxy (2) application log (/var/log/xroad/proxy.log) for details. In case more detailed logging is required, adjust the proxy (2) logging levels.
Server.ClientProxy.SslAuthenticationFailed




Security server has no valid authentication certificate

The consumer side Security Server (2) does not have a valid authentication certificate. The authentication certificate may not exist, it may be disabled, it may not be registered or it may not have a valid OCSP status. To fix the problem, please try the following actions:

  • Make sure the authentication certificate is imported into the Security Server (2). More information.
  • Make sure the certificate is active. More information.
  • Make sure the certificate is registered. More information.
  • If the OCSP status of the authentication certificate is not in the 'good' state, then the Security Server (2) cannot use the certificate. The OCSP status can be checked in the Keys & Certificates view of the Security Server (2). More information.
  • Verify that the soft token holding the authentication certificate is available and logged in. The token status can be checked in the Keys & Certificates view of the Security Server (2). More information.

Service provider did not send correct authentication certificate

The provider side Security Server (3) does not have a valid authentication certificate. The authentication certificate may not exist, it may be disabled, it may not be registered or it may not have a valid OCSP status. To fix the problem, please try the following actions:

  • Make sure the authentication certificate is imported into the Security Server (3). More information.
  • Make sure the certificate is active. More information.
  • Make sure the certificate is registered. More information.
  • If the OCSP status of the authentication certificate is not in the 'good' state, then the Security Server (3) cannot use the certificate. The OCSP status can be checked in the Keys & Certificates view of the Security Server (3). More information.
  • Verify that the soft token holding the authentication certificate is available and logged in. The token status can be checked in the Keys & Certificates view of the Security Server (3). More information.

Alternatively, the authentication certificate returned by the provider side Security Server (3) does not match with the authentication certificate that has been registered to that Security Server in the global configuration. This may happen when the provider side Security Server (3) uses an external load balancer that has not been configured to use SSL passthrough.


Client (SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode) specifies HTTPS but did not supply TLS certificate More information.

Client (SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode) specifies HTTPS NO AUTH but client made  plaintext connection

The connection type of the client subsystem used by the service consumer (1) is set to HTTPS NO AUTH on the consumer side Security Server (2), but the service consumer (1) tried to establish a connection using http. The HTTPS NO AUTH connection type enforces the use of https, but the client TLS certificate is not verified by the Security Server (2). In other words, https is used without mutual TLS authentication (mTLS).

More information.

Server.ClientProxy.IOErrorCould not find any certificates for member 'SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode'. Are you sure tokens containing the certifications are logged in?

The member owning the subsystem that's used as a client of the request does not have a valid sign certificate on the consumer side Security Server (2). The sign certificate may not exist, it may be disabled or it may not have a valid OCSP status. To fix the problem, please try the following actions:

  • Make sure the sign certificate is imported into the Security Server (2). More information.
  • Make sure the certificate is active. More information.
  • If the OCSP status of the sign certificate is not in the 'good' state, then the Security Server (2) cannot use the certificate. The OCSP status can be checked in the Keys & Certificates view of the Security Server (2). More information.
  • Verify that the token holding the sign certificate is available and logged in. The token status can be checked in the Keys & Certificates view of the Security Server (2). More information.
Server.ClientProxy.LoggingFailed.TimestamperFailed


Cannot time-stamp messages: no timestamping services configured

Time-stamping of messagelog records failed, because no time-stamping service has been configured on the consumer side Security Server (2). More information on how to configure a time-stamping service.


Cannot time-stamp messages

Time-stamping of messagelog records may fail because of multiple reasons:

  • the consumer side Security Server (2) is not able to establish network connection to the time-stamping service, e.g., invalid firewall configurations. More information on how to check the time-stamping service connection status.
  • the time-stamping service is not currently available. Check the proxy (2) application log (/var/log/xroad/proxy.log) for details. In case more detailed logging is required, adjust the proxy (2) logging levels.
Server.ClientProxy.OutdatedGlobalConfGlobal configuration is expired

The consumer side Security Server (2) is not able to download global configuration from the Central Server and the local copy of the global configuration has expired. Check the configuration client (2) application log (/var/log/xroad/configuration_client.log) for details. In case more detailed logging is required, adjust the configuration client (2) logging levels.

You can also try to restart the "xroad-confclient" process.

Code Block
$ systemctl restart xroad-confclient

Also, it's is possible that the consumer side Security Server (2) is not able to establish network connection to the Central Server, e.g., invalid firewall configurations. More information on how to check the global configuration download connection status.

Server.ClientProxy.LoggingFailed.InternalError

Writing messages to the message log database fails on the the consumer side Security Server (2).


Ask timed out on [Actor [ akka: // Proxy / user / LogManager # 2110275378 ]] after [40000 ms]. Sender [null] sent message of type "ee.ria.xroad.common.messagelog.LogMessage"

This may happen because the Security Server (2) is over loaded or the hard disk is full. Check the CPU load and free disk space of the server (2). Restarting the server may also help.


Futures timed out after [40 seconds]This may happen because the Security Server (2) is overloaded. Check the CPU load of the server (2). Restarting the server (2) may also help.

...