Debug KeyMaster errors

The following table outlines possible error messages relating to KeyMaster authentication which can appear in the Liberator event log file, located in var/event-rttpd.log.

Log Message Description

INFO: Token <[token]> is validated for <[key_id]> testkey

The specified user credentials token called [token] has been successfully validated.

NOTIFY: Signature expired for key_id [key id] - [timestamp] denying login

A KeyMaster token’s timestamp is older than the number of seconds specified in the signature-validtime config item or the timeout option of the add-sigkey configuration item in rttpd.conf.

Make sure that clock on the server running the Liberator is synchronized with the clock on the server where KeyMaster Signature Generator is running.

If the clocks on these two servers are set to different times, the Liberator may falsely decide that a user credentials token has expired (it is likely to reject all user credentials tokens for this reason).

ERROR: Cannot load keyfile

<[filename]>

The DER format public key file called [filename], specified in rttpd.conf, is missing, corrupt or in the wrong format.

Check that the key file configuration is specified correctly in rttp.conf; look at the key-id configuration item in the add-sigkey item group.

ERROR: Could not find key_id [key id]

When the Auth Module asked for a check on a user credentials token, the key-id was found to be unknown.

Check that the key-ids match between rttpd.conf and the Auth Module configuration file (for example the users.xml file). Look in rttpd.conf at the key-id configuration item in the add-sigkey item group; in users.xml look at the sigkey-id attribute for each <USER> tag.

ERROR: Malformed token

<[KeyMaster token]>

for key_id [key id]

The user credentials token provided to the Liberator is in the wrong format.

ERROR: Token verification failed for key_id

[key id] <[token]>

The user credentials token failed to verify upon decryption. Either the key used to decrypt the signature does not match the key that KeyMaster used to encrypt it, or the token has been tampered with or corrupted in some way.

ERROR: Malformed timestamp for key_id [key id] <[token]>

The timestamp in the user credentials token is badly formed.

ERROR: Token [token] has already logged in for key_id [key id]

The user credentials token has already been used; a token can only be used once.

CRITICAL: Could not locate key file <etc/publickey1.der> for add-sigkey/key-id < testkey >

The entry in the rttpd.conf file for the public key could not be mapped to a DER public key file in the specified (or default) directory. Either the rttpd.conf entry is invalid, or the key file is missing.

Look in rttpd.conf at the keyfile configuration item in the add-sigkey item group. Check that the specified name and directory of the DER public key file match the name and location of the actual file.

Check that the key file is actually present in the specified location.

The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it).

CRITICAL: No keyfile defined for add-sigkey/key-id < testkey >

The entry in the rttpd.conf file for the public key does not specify a key file.

Look in rttpd.conf at the add-sigkey configuration item group; make sure that there is a keyfile configuration item in this group.

Note: The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it).

CRITICAL: No key-id for an

add-sigkey configuration group

The entry in the rttpd.conf file for the public key does not specify a key id.

Look in rttpd.conf at the add-sigkey configuration item group; make sure that there is a key-id configuration item in this group.

Note: The Liberator will fail to start if this error occurs (the Liberator displays the error message on the screen as well as logging it).


See also: