Topic
  • 20 replies
  • Latest Post - ‏2015-10-31T22:39:57Z by M.Shahbaz
bobbick
bobbick
53 Posts

Pinned topic Validation of LTPA token failed due to invalid keys or token type

‏2007-07-03T13:51:37Z |
When I start my WebSphere App Server (6.1.0.7) the following error message is displayed:

7/3/07 9:43:14:630 EDT 00000019 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of CMH-MIS-7P15P71Cell01\CMH-MIS-7P15P71CellManager01\dmgr and an IP address of /10.201.201.11. Global security in the local process is Enabled. Global security in the sending process is Enabled. The received token starts with 1(±`?iMìÎL)[8CTÊ®(ñm¾kí. The exception is com.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.

Does anyone know what this means and how to resolve it?

Kind Regards,
Bob
Updated on 2012-03-26T04:33:18Z at 2012-03-26T04:33:18Z by lukewang
  • bpaskin
    bpaskin
    5478 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2007-07-03T14:04:28Z  
    Hi,

    It would appear that your LTPA token is corrupted. I would suggest regenerating it and see if the message is gone. You will also have to restart the node agents.

    Brian
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2007-07-03T14:48:57Z  
    robert.bick@icfconsulting.com wrote:
    > When I start my WebSphere App Server (6.1.0.7) the following error message is displayed:
    >
    > 7/3/07 9:43:14:630 EDT 00000019 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of CMH-MIS-7P15P71Cell01\CMH-MIS-7P15P71CellManager01\dmgr and an IP address of /10.201.201.11. Global security in the local process is Enabled. Global security in the sending process is Enabled. The received token starts with 1(±`?iMìÎL)?[8CTÊ®(ñm?¾kí. The exception is com.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.
    >
    > Does anyone know what this means and how to resolve it?
    >
    > Kind Regards,
    > Bob

    Have you had any certificates expire recently? (You can find out by
    looking at the serious events log). WAS 6.1 does automatic certificate
    replacement, which can cause some transient errors. You might want to
    consider turning that feature off, and monitoring the logs for warnings
    so that you can update the certs yourself.
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token<br> type

    ‏2007-07-05T11:06:34Z  
    robert.bick@icfconsulting.com wrote:
    > When I start my WebSphere App Server (6.1.0.7) the following error message is displayed:
    >
    > 7/3/07 9:43:14:630 EDT 00000019 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of CMH-MIS-7P15P71Cell01\CMH-MIS-7P15P71CellManager01\dmgr and an IP address of /10.201.201.11. Global security in the local process is Enabled. Global security in the sending process is Enabled. The received token starts with 1(±`?iMìÎL)?[8CTÊ®(ñm?¾kí. The exception is com.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.
    >
    > Does anyone know what this means and how to resolve it?
    >
    > Kind Regards,
    > Bob

    Have you had any certificates expire recently? (You can find out by
    looking at the serious events log). WAS 6.1 does automatic certificate
    replacement, which can cause some transient errors. You might want to
    consider turning that feature off, and monitoring the logs for warnings
    so that you can update the certs yourself.
    Hello!
    Have you found a solution to this problem? We see this problem too in our node agent, in different versions 6.1.0.6 and 6.1.0.8, but same cell, but we haven't managed to figure out why yet.
    Kind regards
    Katarina
  • bwa
    bwa
    54 Posts

    Re: Validation of LTPA token failed due to invalid keys or token<br> type

    ‏2007-10-29T07:57:34Z  
    robert.bick@icfconsulting.com wrote:
    > When I start my WebSphere App Server (6.1.0.7) the following error message is displayed:
    >
    > 7/3/07 9:43:14:630 EDT 00000019 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of CMH-MIS-7P15P71Cell01\CMH-MIS-7P15P71CellManager01\dmgr and an IP address of /10.201.201.11. Global security in the local process is Enabled. Global security in the sending process is Enabled. The received token starts with 1(±`?iMìÎL)?[8CTÊ®(ñm?¾kí. The exception is com.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.
    >
    > Does anyone know what this means and how to resolve it?
    >
    > Kind Regards,
    > Bob

    Have you had any certificates expire recently? (You can find out by
    looking at the serious events log). WAS 6.1 does automatic certificate
    replacement, which can cause some transient errors. You might want to
    consider turning that feature off, and monitoring the logs for warnings
    so that you can update the certs yourself.
    I'm getting the samme message after importing ltpa keys from an another cell.
    All my servers are synchronized and secutiry.xml and lpta.jceks are proagated. Is there other files I should check ?
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token<br> type

    ‏2007-11-02T20:04:46Z  
    • bwa
    • ‏2007-10-29T07:57:34Z
    I'm getting the samme message after importing ltpa keys from an another cell.
    All my servers are synchronized and secutiry.xml and lpta.jceks are proagated. Is there other files I should check ?
    How do you regen the LTPA keys for WAS6.1? I'm having the same problem.
  • bobbick
    bobbick
    53 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2007-12-17T16:42:41Z  
    I was able to resolve this issue by doing the following:
    1) stop all websphere app servers and node agents in the cell
    2) turn off administrative security in the cell (via the deployment manager)
    3) restart the DM
    4) perform a manual sync of all nodes (syncNode.bat)
    5) turn on administrative security in the cell (via the deployment manager)
    6) restart the DM
    7) perform a manual sync of all nodes (syncNode.bat)
    8) start node agents in the cell
    9) start the websphere app servers

    Hopefully this will help others that run into this problem.
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2008-01-25T15:52:30Z  
    • bobbick
    • ‏2007-12-17T16:42:41Z
    I was able to resolve this issue by doing the following:
    1) stop all websphere app servers and node agents in the cell
    2) turn off administrative security in the cell (via the deployment manager)
    3) restart the DM
    4) perform a manual sync of all nodes (syncNode.bat)
    5) turn on administrative security in the cell (via the deployment manager)
    6) restart the DM
    7) perform a manual sync of all nodes (syncNode.bat)
    8) start node agents in the cell
    9) start the websphere app servers

    Hopefully this will help others that run into this problem.
    Hi,

    I'm getting the same error. I tried the steps listed, same result. This doesnt make sense, the appServer starts fine, the Nodeagent syncs fine no errors, this is a fairly new cell, node and appserver, no cert experations, everything starts fine but I see this error in my sysout of the appServer. Ltpa keys match up between cell and node, this doesnt make sense.
  • bobbick
    bobbick
    53 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2008-01-25T18:26:37Z  
    Hi,

    I'm getting the same error. I tried the steps listed, same result. This doesnt make sense, the appServer starts fine, the Nodeagent syncs fine no errors, this is a fairly new cell, node and appserver, no cert experations, everything starts fine but I see this error in my sysout of the appServer. Ltpa keys match up between cell and node, this doesnt make sense.
    Just wondering... If you log into the AdminConsole and check the status of the nodes, does it indicate that they are out of sync?

    By the way, you can regenerate the LTPA keys by going to:

    Secure administration, applications, and infrastructure > Authentication mechanisms and expiration

    Key generation -> Generate Keys

    Robert



    Updated on 2008-01-25T18:26:37Z at 2008-01-25T18:26:37Z by bobbick
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2008-01-25T19:05:39Z  
    • bobbick
    • ‏2008-01-25T18:23:27Z
    Just wondering... If you log into the AdminConsole and check the status of the nodes, does it indicate that they are out of sync?

    By the way, you can regenerate the LTPA keys by going to:

    Secure administration, applications, and infrastructure > Authentication mechanisms and expiration

    Key generation -> Generate Keys

    Robert



    Thanks for your response.

    That's what's weird, the nodes are in sync, and you can resync them just fine. Ive regened the keys as well...
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2008-01-25T20:08:39Z  
    Thanks for your response.

    That's what's weird, the nodes are in sync, and you can resync them just fine. Ive regened the keys as well...
    Also this doesnt seem to be reporting as an error to systemError... is this only a warning??? Again, app and node start fine, no sync errors...

    1/25/08 15:05:38:181 EST 00000017 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been reject
    ed. The sending process has a name of someCell\SomeNode\nodeagent and an IP address of /555.55.555. Global security in the local
    process is Enabled. Global security in the sending process is Enabled. The received token starts with M-^^M-^Y:SgM-^U^E@ÖðLj?OM-^UÆî¾M-^UM-^Jùñ÷ÌU. The excm.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.
    at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServerObject.java:951)
    at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServerObject.java:869)
    at com.ibm.ws.security.token.WSCredentialTokenMapper.validateLTPAToken(WSCredentialTokenMapper.java:1295)
    at com.ibm.ws.hamanager.runtime.DefaultTokenProvider.authenticateMember(DefaultTokenProvider.java:214)
    at com.ibm.ws.hamanager.coordinator.dcs.MemberAuthenticatorImpl.authenticateMember(MemberAuthenticatorImpl.java:87)
    at com.ibm.ws.dcs.vri.transportAdapter.rmmImpl.ptpDiscovery.DiscoveryRcv.acceptStream(DiscoveryRcv.java:266)
    at com.ibm.rmm.ptl.tchan.receiver.PacketProcessor.fetchStream(PacketProcessor.java:470)
    at com.ibm.rmm.ptl.tchan.receiver.PacketProcessor.run(PacketProcessor.java:860)
  • bobbick
    bobbick
    53 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2008-01-27T20:30:31Z  
    Also this doesnt seem to be reporting as an error to systemError... is this only a warning??? Again, app and node start fine, no sync errors...

    1/25/08 15:05:38:181 EST 00000017 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been reject
    ed. The sending process has a name of someCell\SomeNode\nodeagent and an IP address of /555.55.555. Global security in the local
    process is Enabled. Global security in the sending process is Enabled. The received token starts with M-^^M-^Y:SgM-^U^E@ÖðLj?OM-^UÆî¾M-^UM-^Jùñ÷ÌU. The excm.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.
    at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServerObject.java:951)
    at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServerObject.java:869)
    at com.ibm.ws.security.token.WSCredentialTokenMapper.validateLTPAToken(WSCredentialTokenMapper.java:1295)
    at com.ibm.ws.hamanager.runtime.DefaultTokenProvider.authenticateMember(DefaultTokenProvider.java:214)
    at com.ibm.ws.hamanager.coordinator.dcs.MemberAuthenticatorImpl.authenticateMember(MemberAuthenticatorImpl.java:87)
    at com.ibm.ws.dcs.vri.transportAdapter.rmmImpl.ptpDiscovery.DiscoveryRcv.acceptStream(DiscoveryRcv.java:266)
    at com.ibm.rmm.ptl.tchan.receiver.PacketProcessor.fetchStream(PacketProcessor.java:470)
    at com.ibm.rmm.ptl.tchan.receiver.PacketProcessor.run(PacketProcessor.java:860)
    was6guy,

    When is this problem occurring? Is the error occurring when you are starting up application servers in the cell? Or, is it happening when a server in a foreign cell is trying to communicate with one of your servers?

    If it is occurring during cross cell communication, then you will need to export the LTPA keys from the client cell and import them into the target cell.

    Robert





  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2009-03-26T10:08:08Z  
    • bobbick
    • ‏2008-01-27T20:30:31Z
    was6guy,

    When is this problem occurring? Is the error occurring when you are starting up application servers in the cell? Or, is it happening when a server in a foreign cell is trying to communicate with one of your servers?

    If it is occurring during cross cell communication, then you will need to export the LTPA keys from the client cell and import them into the target cell.

    Robert





    I faced the same problem and solved it by setting the following "custom property" of the core group:

    IBM_CS_SS_SECURE_TOKEN=false

    Don't know if this workaround is security aware or not. But I get rid of the messages.
  • SystemAdmin
    SystemAdmin
    37421 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2010-08-29T14:32:11Z  
    I faced the same problem and solved it by setting the following "custom property" of the core group:

    IBM_CS_SS_SECURE_TOKEN=false

    Don't know if this workaround is security aware or not. But I get rid of the messages.
    I just want to communicate our recent experience with this error so that others will not have the same problem we did. It is a little different than the other people but still informational.

    We were getting the LTPA token errors after installing a new version of RTC. During the investigation, I went into the ffdc directory and was looking at some of the files. A couple of things stood out.

    1. I noticed an error that the nodeagent did not have permissions on the plugin-cfg.xml file. In particular, it was trying to write to it and got a permission denied.

    2. In the web server log files (http_plugin.log), I noticed it could not read the plugin file either and it was reverting back to an old config file. But I don't think it was reverting to anything and was sending plain text to WAS instead of SSL encrypted data. SystemOut.log had some errors referring to 'plaintext'.

    SystemOut_10.08.28_16.56.11.log:javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

    3. The plugin-cfg.xml file had permissions of 640 with root as the owner and root as the group. I noticed that httpd was running as 'nobody' so obviously it could not read the plugin file. We changed the permissions to 644 and changed the owner to the userid that WAS was running under.

    So we fixed the permissions, restarted the web server, and got another error.
    ERROR: lib_security: logSSLError: str_security (gsk error 408): GSK_ERROR_BAD_KEYFILE_PASSWORD
    We looked in the plugin-cfg.xml and it was pointing to a file that did not exist. We fixed that, restarted the httpd server, and everything was working fine. No more SSL or LTPA token errors.
  • swamykumar
    swamykumar
    2 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2011-02-07T21:32:35Z  
    I just want to communicate our recent experience with this error so that others will not have the same problem we did. It is a little different than the other people but still informational.

    We were getting the LTPA token errors after installing a new version of RTC. During the investigation, I went into the ffdc directory and was looking at some of the files. A couple of things stood out.

    1. I noticed an error that the nodeagent did not have permissions on the plugin-cfg.xml file. In particular, it was trying to write to it and got a permission denied.

    2. In the web server log files (http_plugin.log), I noticed it could not read the plugin file either and it was reverting back to an old config file. But I don't think it was reverting to anything and was sending plain text to WAS instead of SSL encrypted data. SystemOut.log had some errors referring to 'plaintext'.

    SystemOut_10.08.28_16.56.11.log:javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

    3. The plugin-cfg.xml file had permissions of 640 with root as the owner and root as the group. I noticed that httpd was running as 'nobody' so obviously it could not read the plugin file. We changed the permissions to 644 and changed the owner to the userid that WAS was running under.

    So we fixed the permissions, restarted the web server, and got another error.
    ERROR: lib_security: logSSLError: str_security (gsk error 408): GSK_ERROR_BAD_KEYFILE_PASSWORD
    We looked in the plugin-cfg.xml and it was pointing to a file that did not exist. We fixed that, restarted the httpd server, and everything was working fine. No more SSL or LTPA token errors.
    Just wanted to share the error i got and the way it got resolved.

    Error while starting server:
    "HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of .... Global security in the local process is Disabled. Global security in the sending process is Enabled. The received token starts with.."

    Resolution:
    To overcome this issue - we need to resync the node agent
    1) Bring down servers, nodes and DM.
    2) Start DM
    3) manually do syncNode -username -password
    4) start node and start server (observe log file)
  • it24705
    it24705
    24 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2011-02-08T13:22:10Z  
    Just wanted to share the error i got and the way it got resolved.

    Error while starting server:
    "HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of .... Global security in the local process is Disabled. Global security in the sending process is Enabled. The received token starts with.."

    Resolution:
    To overcome this issue - we need to resync the node agent
    1) Bring down servers, nodes and DM.
    2) Start DM
    3) manually do syncNode -username -password
    4) start node and start server (observe log file)
    I experimented same error today and I solved in the same way swamykumar already described.
  • lukewang
    lukewang
    1 Post

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2012-03-26T04:33:18Z  
    This is really a very useful thread!

    Thanks you all for replying this problem.

    It help me resolve the same problem.

    The step works!
    1. Stop all nodes, servers, dmgrs
    2. Start dmgr
    3. run command ./syncNode.sh x.xx.xxx.xxx 8879 -username xxx -password xxxxxxx
    4. start node and servers.
    5. check the log at the same time. no errors now!

    Thanks, Luke
  • RiteshVyas
    RiteshVyas
    2 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2013-05-08T03:01:26Z  
    • lukewang
    • ‏2012-03-26T04:33:18Z
    This is really a very useful thread!

    Thanks you all for replying this problem.

    It help me resolve the same problem.

    The step works!
    1. Stop all nodes, servers, dmgrs
    2. Start dmgr
    3. run command ./syncNode.sh x.xx.xxx.xxx 8879 -username xxx -password xxxxxxx
    4. start node and servers.
    5. check the log at the same time. no errors now!

    Thanks, Luke

    Thanks all. Indeed a helpful thread.

     

    Thanks,

    Ritesh

  • Trelandon
    Trelandon
    1 Post

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2014-01-08T19:46:15Z  
    Just wanted to share the error i got and the way it got resolved.

    Error while starting server:
    "HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of .... Global security in the local process is Disabled. Global security in the sending process is Enabled. The received token starts with.."

    Resolution:
    To overcome this issue - we need to resync the node agent
    1) Bring down servers, nodes and DM.
    2) Start DM
    3) manually do syncNode -username -password
    4) start node and start server (observe log file)

    Thanks for resolve. Very useful info indeed. 

  • hiroitasiki
    hiroitasiki
    2 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2014-07-21T17:24:44Z  

    Thanks all. Indeed a helpful thread.

     

    Thanks,

    Ritesh

    Maybe there is a conflit port.

    Try to check the "DCS_UNICAST_ADDRESS" between servers (JVM).

     

  • M.Shahbaz
    M.Shahbaz
    3 Posts

    Re: Validation of LTPA token failed due to invalid keys or token type

    ‏2015-10-31T22:39:57Z  

    Hi

    I have imported the LTPA keys from another cell and facing this "LTPA token failed due to invalid keys or token type" issue. Can some one confirm that restarting and synchronizing nodes will resolve this error ?

    Thanks