How to Interpret Security Server Proxy Error Messages?
- Petteri Kivimäki
About Security Server Proxy Error Messages
The first step in the error resolution process is to understand where the error message originated in. Therefore, it is important to know what are the components involved in the message flow:
Service consumer
Consumer-side Security Server (client proxy)
Provider-side Security Server (server proxy)
Service provider.
Error messages may be generated by the Security Servers (2, 3) or the service provider information system (4). Error messages generated by the Security Server have a fixed interface-specific (SOAP / REST) structure. However, SOAP and REST error messages contain the same information regardless of the messaging interface. Error messages generated by the Security Server contain three fields:
Field | Description |
|---|---|
type (REST) faultCode (SOAP) | Error code that tells where the error originated in - client proxy (2) or server proxy (3) - and the type of the error. Errors starting with "Server.ClientProxy" originate in the consumer side client proxy (2). In this case, more detailed information can be found in the consumer side Security Server (2) proxy application log (/var/log/xroad/proxy.log). Errors starting with "Server.ServerProxy" originate in the provider side server proxy (3). In this case, more detailed information can be found in the provider side Security Server (3) proxy application log (/var/log/xroad/proxy.log). |
message (REST) faultString (SOAP) | More detailed description of the error. |
detail (REST) faultDetail (SOAP) | A unique ID that can be used to search additional information from the proxy application log (/var/log/xroad/proxy.log). |
For example, an error message generated by the client proxy on the consumer side Security Server (2):
REST/JSON Error Message
{
"type":"Server.ClientProxy.SslAuthenticationFailed",
"message":"Client (SUBSYSTEM:PLAYGROUND/COM/1234567-8/TestClient) specifies HTTPS but did not supply TLS certificate",
"detail":"2ea02d93-e0b8-4e2b-8c6e-fac20f53a3e3"
}REST/XML Error Message
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<error>
<type>Server.ClientProxy.SslAuthenticationFailed</type>
<message>Client (SUBSYSTEM:PLAYGROUND/COM/1234567-8/TestClient) specifies HTTPS but did not supply TLS certificate</message>
<detail>2ea02d93-e0b8-4e2b-8c6e-fac20f53a3e3</detail>
</error>SOAP Error Message
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>Server.ClientProxy.SslAuthenticationFailed</faultcode>
<faultstring>Client (SUBSYSTEM:PLAYGROUND/COM/1234567-8/TestClient) specifies HTTPS but did not supply TLS certificate</faultstring>
<faultactor />
<detail>
<faultDetail>b782c3a4-f279-43d1-8684-2af318ec2ca5</faultDetail>
</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>Also, errors may occur in the service provider information system (4). In that case, the service provider (4) is free to return any custom error message as long as it's aligned with the X-Road message protocol. In case an error message is returned and it does not follow the structure presented above, the error was generated by the service provider information system (4).
Consumer Side Security Server (2)
The table below contains the most common error messages originated in the consumer side Security Server (2) and their descriptions.
Please note that this is not an exhaustive list of all the errors generated by the Security Server proxy.
Error code (type / faultCode) | Error message (message / faultString) | Description |
|---|---|---|
Server.ClientProxy.UnknownMember | The request contains invalid client or service identifier. | |
Client 'SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode' not found | In case the client is not found, the client specified in the request is not registered on the consumer side Security Server (2). More information about registering clients can be found here. | |
Could not find addresses for service provider 'SERVICE:instanceIdentifier/memberClass/memberCode/subsystemCode/serviceCode' | In case addresses for service provider are not found, there's an error in the service identifier. Please make sure that the value ​​of the service identifier in the request is correct and corresponds to the information registered on the service provider's Security Server (3). | |
Server.ClientProxy.NetworkError | ||
Could not connect to any target host ([https://<TARGET_HOST>:5500/]) | The consumer side Security Server (2) is not able to establish a network connection to the provider side Security Server (3). The problem is usually caused by incorrect firewall configurations. On the consumer side Security Server (2), outgoing traffic to the provider side Security Server's (3) ports 5500 and 5577 must be allowed. On the provider side Security Server (3), incoming traffic to ports 5500 and 5577 from the consumer side Security Server (2) must be allowed. More information about required firewall configurations can be found in the Security Server installation guides for Ubuntu and RHEL. | |
Name or service not known. No address associated with hostname. | DNS lookup of the provider side Security Server (3) fails, because the server is registered with a wrong public FQDN name. Contact the administrator of the provider side Security Server (3). | |
Server.ClientProxy.CannotCreateSignature.Signer.TokenNotActive | Token 'softToken' not active | |
Server.ClientProxy.ServiceFailed.InternalError | Cause of the error, for example:
| Processing the request failed because of an internal error on the consumer side Security Server (2). Check the proxy (2) application log (/var/log/xroad/proxy.log) for details. In case more detailed logging is required, adjust the proxy (2) logging levels. |
Server.ClientProxy.SslAuthenticationFailed | ||
Security server has no valid authentication certificate | The consumer side Security Server (2) does not have a valid authentication certificate. The authentication certificate may not exist, it may be disabled, it may not be registered or it may not have a valid OCSP status. To fix the problem, please try the following actions:
| |
Service provider did not send correct authentication certificate | The provider side Security Server (3) does not have a valid authentication certificate. The authentication certificate may not exist, it may be disabled, it may not be registered or it may not have a valid OCSP status. To fix the problem, please try the following actions:
Alternatively, the authentication certificate returned by the provider side Security Server (3) does not match with the authentication certificate that has been registered to that Security Server in the global configuration. This may happen when the provider side Security Server (3) uses an external load balancer that has not been configured to use SSL passthrough. | |
Client (SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode) specifies HTTPS but did not supply TLS certificate | ||
Client (SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode) specifies HTTPS NO AUTH but client made plaintext connection | The connection type of the client subsystem used by the service consumer (1) is set to | |
Server.ClientProxy.IOError | Could not find any certificates for member 'SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode'. Are you sure tokens containing the certifications are logged in? | The member owning the subsystem that's used as a client of the request does not have a valid sign certificate on the consumer side Security Server (2). The sign certificate may not exist, it may be disabled or it may not have a valid OCSP status. To fix the problem, please try the following actions:
|
Server.ClientProxy.LoggingFailed.TimestamperFailed | ||
Cannot time-stamp messages: no timestamping services configured | Time-stamping of messagelog records failed, because no time-stamping service has been configured on the consumer side Security Server (2). More information on how to configure a time-stamping service. | |
Cannot time-stamp messages | Time-stamping of messagelog records may fail because of multiple reasons:
| |
Server.ClientProxy.OutdatedGlobalConf | Global configuration is expired | The consumer side Security Server (2) is not able to download global configuration from the Central Server and the local copy of the global configuration has expired. Check the configuration client (2) application log (/var/log/xroad/configuration_client.log) for details. In case more detailed logging is required, adjust the configuration client (2) logging levels. You can also try to restart the "xroad-confclient" process. Also, it's is possible that the consumer side Security Server (2) is not able to establish network connection to the Central Server, e.g., invalid firewall configurations. More information on how to check the global configuration download connection status. |
Server.ClientProxy.LoggingFailed.InternalError | Writing messages to the message log database fails on the the consumer side Security Server (2). | |
Ask timed out on [Actor [ akka: // Proxy / user / LogManager # 2110275378 ]] after [40000 ms]. Sender [null] sent message of type "ee.ria.xroad.common.messagelog.LogMessage" | This may happen because the Security Server (2) is over loaded or the hard disk is full. Check the CPU load and free disk space of the server (2). Restarting the server may also help. | |
Futures timed out after [40 seconds] | This may happen because the Security Server (2) is overloaded. Check the CPU load of the server (2). Restarting the server (2) may also help. |
Provider Side Security Server (3)
The table below contains the most common error messages originated in the provider side Security Server (3) and their descriptions.
Please note that this is not an exhaustive list of all the errors generated by the Security Server proxy.
Error code (type / faultCode) | Error message (message / faultString) | Description |
|---|---|---|
Server.ServerProxy.AccessDenied | Request is not allowed: SERVICE:instanceIdentifier/memberClass/memberCode/subsystemCode/serviceCode | |
Server.ServerProxy.ServiceFailed.MissingHeaderField | Malformed SOAP message: header missing | The response message returned by the service provider information system (4) is missing one or more mandatory SOAP headers. SOAP request and response messages must contain some X-Road specific headers. More information about the required headers can be found here. |
Server.ServerProxy.ServiceFailed.InvalidSoap | Cause of the error, for example:
| The service provider information system (4) returned a malformed SOAP message as a response. Check the proxy (3) application log (/var/log/xroad/proxy.log) for details. In case more detailed logging is required, adjust the proxy (3) logging levels. |
Server.ServerProxy.UnknownService | Unknown service: SERVICE:instanceIdentifier/memberClass/memberCode/subsystemCode/serviceCode | The service identified by the service code included in the request does not exist on the service provider's Security Server (3). Please make sure that the value ​​of the service code in the request is correct and corresponds to the information registered on the service provider's Security Server (3). |
Server.ServerProxy.ServiceFailed.HttpError | Cause of the error, for example:
| The service provider side Security Server (3) wasn't able to successfully connect to the service provider information system (4). Check the proxy (3) application log (/var/log/xroad/proxy.log) for details. In case more detailed logging is required, adjust the proxy (3) logging levels. |
Server.ServerProxy.ServiceFailed.InternalError | Processing the request failed because of an internal error on the provider side Security Server (3). | |
Signer.UnknownMember: Could not find any certificates for member'SUBSYSTEM:instanceIdentifier/memberClass/memberCode/subsystemCode'. Are you sure tokens containing the certifications are logged in? | On the provider side Security Server (3) there's a problem with the sign certificate of the member owning the service that is invoked. The sign certificate may not exist, it may be disabled or it may not have a valid OCSP status. To fix the problem, please try the following actions:
| |
Connection pool shut down | The provider side Security Server (3) is not able to access its database. Check the proxy (3) application log (/var/log/xroad/proxy.log) and Postgres log (/var/log/postgresql/) for details. In case more detailed logging is required, adjust the proxy (3) logging levels. | |
Server.ServerProxy.ServiceFailed.CannotCreateSignature | Failed to get signing info for member HttpError: Connection to Signer (port 5558) timed out | There's a problem with signer on the provider side Security Server (3). Check the signer (3) application log (/var/log/xroad/signer.log) for details. In case more detailed logging is required, adjust the signer (3) logging levels. You can also try to restart the "xroad-signer" process. |
Server.ServerProxy.CannotCreateSignature.Signer.TokenNotActive | Token 'softToken' not active | |
Server.ServerProxy.SslAuthenticationFailed | Server certificate is not trusted | SSL authentication between the service provider side Security Server (3) and the service provider information system (4) failed. The error occurs when the "Verify TLS certificate" option is selected in the service configuration, but the service certificate hasn't been uploaded to the provider side Security Server (3). The error can be resolved by unchecking the "Verify TLS certificate" option or uploading the service certificate to the provider side Security Server (3). More information can be found here. |
 | Client 'SUBSYSTEM:<instanceIdentifier>/<memberClass>/<memberCode>/<subsystemCode>' has no IS certificates | SSL authentication between the service provider side Security Server (3) and the service provider information system (4) failed. The error occurs when the "Verify TLS certificate" option is selected in the service configuration, but the service certificate hasn't been uploaded to the provider side Security Server (3). The error can be resolved by unchecking the "Verify TLS certificate" option or uploading the service certificate to the provider side Security Server (3). More information can be found here. |
Server.ServerProxy.LoggingFailed.TimestamperFailed | ||
Cannot time-stamp messages: no timestamping services configured | Time-stamping of messagelog records failed, because no time-stamping service has been configured on the service provider side Security Server (3). More information on how to configure a time-stamping service. | |
Cannot time-stamp messages | Time-stamping of messagelog records may fail because of multiple reasons:
| |
Server.ServerProxy.OutdatedGlobalConf | Global configuration is expired | The service provider side Security Server (3) is not able to download global configuration from the Central Server and the local copy of the global configuration has expired. Check the configuration client (3) application log (/var/log/xroad/configuration_client.log) for details. In case more detailed logging is required, adjust the configuration client (3) logging levels. You can also try to restart the "xroad-confclient" process. Also, it's is possible that the service provider side Security Server (3) is not able to establish network connection to the Central Server, e.g., invalid firewall configurations. More information on how to check the global configuration download connection status. |
Server.ServerProxy.LoggingFailed.InternalError | Writing messages to the message log database fails on the the service provider side Security Server (3). | |
Ask timed out on [Actor [ akka: // Proxy / user / LogManager # 2110275378 ]] after [40000 ms]. Sender [null] sent message of type "ee.ria.xroad.common.messagelog.LogMessage" | This may happen because the Security Server (3) is overloaded or the hard disk is full. Check the CPU load and free disk space of the server (3). Restarting the server may also help. | |
Futures timed out after [40 seconds] | This may happen because the Security Server (3) is overloaded. Check the CPU load of the server (3). Restarting the server (3) may also help. | |
Server.ServerProxy.IOError | Received fatal alert: handshake_failure | TLS handshake between the Security Server (3) and the service provider information system (4) failed. This may happen because the Security Server (3) and the service provider information system (4) don’t support the same TLS ciphers and/or TLS protocol versions. By default, the Security Server supports TLSv1.2 and the supported ciphers are listed here. Supported TLS versions and ciphers can be configured using the |