Validation of LTPA token failed due to invalid keys or token type

[rober...@icfconsulting.com]

When I start my WebSphere App Server (6.1.0.7) the following error message is displayed:

[7/3/07 9:43:14:630 EDT] 00000019 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been rejected. The sending process has a name of CMH-MIS-7P15P71Cell01\CMH-MIS-7P15P71CellManager01\dmgr and an IP address of /10.201.201.11. Global security in the local process is Enabled. Global security in the sending process is Enabled. The received token starts with 1(ą`?iMěÎL)?[8CTĘŽ(ńm?žkí. The exception is com.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.

Does anyone know what this means and how to resolve it?

Kind Regards,
Bob

[Brian S Paskin]

Hi,

It would appear that your LTPA token is corrupted. I would suggest regenerating it and see if the message is gone. You will also have to restart the node agents.

Brian

[Paul Ilechko]

Have you had any certificates expire recently? (You can find out by
looking at the serious events log). WAS 6.1 does automatic certificate
replacement, which can cause some transient errors. You might want to
consider turning that feature off, and monitoring the logs for warnings
so that you can update the certs yourself.

[kao...@handelsbanken.se]

Hello!
Have you found a solution to this problem? We see this problem too in our node agent, in different versions 6.1.0.6 and 6.1.0.8, but same cell, but we haven't managed to figure out why yet.
Kind regards
Katarina

[b...@klp.no]

I'm getting the samme message after importing ltpa keys from an another cell.
All my servers are synchronized and secutiry.xml and lpta.jceks are proagated. Is there other files I should check ?

[philip...@bcbsfl.com]

How do you regen the LTPA keys for WAS6.1? I'm having the same problem.

[rober...@icfconsulting.com]

I was able to resolve this issue by doing the following:<br />
1) stop all websphere app servers and node agents in the cell<br />
2) turn off administrative security in the cell (via the deployment manager)<br />
3) restart the DM<br />
4) perform a manual sync of all nodes (syncNode.bat)<br />
5) turn on administrative security in the cell (via the deployment manager)<br />
6) restart the DM<br />
7) perform a manual sync of all nodes (syncNode.bat)<br />
8) start node agents in the cell<br />
9) start the websphere app servers<br />
<br />
Hopefully this will help others that run into this problem.

[pmap...@gmail.com]

Hi,

I'm getting the same error. I tried the steps listed, same result. This doesnt make sense, the appServer starts fine, the Nodeagent syncs fine no errors, this is a fairly new cell, node and appserver, no cert experations, everything starts fine but I see this error in my sysout of the appServer. Ltpa keys match up between cell and node, this doesnt make sense.

[rober...@icfconsulting.com]

Just wondering... If you log into the AdminConsole and check the status of the nodes, does it indicate that they are out of sync?
<p>
Robert

[pmap...@gmail.com]

Thanks for your response.

That's what's weird, the nodes are in sync, and you can resync them just fine. Ive regened the keys as well...

[pmap...@gmail.com]

Also this doesnt seem to be reporting as an error to systemError... is this only a warning??? Again, app and node start fine, no sync errors...

[1/25/08 15:05:38:181 EST] 00000017 DefaultTokenP E HMGR0149E: An attempt to open a connection to core group DefaultCoreGroup has been reject
ed. The sending process has a name of someCell\SomeNode\nodeagent and an IP address of /555.55.555. Global security in the local
process is Enabled. Global security in the sending process is Enabled. The received token starts with M-^^M-^Y:SgM-^U^E@ÖðLj?OM-^UÆî¾M-^UM-^Jùñ÷ÌU. The excm.ibm.websphere.security.auth.WSLoginFailedException: Validation of LTPA token failed due to invalid keys or token type.
at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServerObject.java:951)
at com.ibm.ws.security.ltpa.LTPAServerObject.validateToken(LTPAServerObject.java:869)
at com.ibm.ws.security.token.WSCredentialTokenMapper.validateLTPAToken(WSCredentialTokenMapper.java:1295)
at com.ibm.ws.hamanager.runtime.DefaultTokenProvider.authenticateMember(DefaultTokenProvider.java:214)
at com.ibm.ws.hamanager.coordinator.dcs.MemberAuthenticatorImpl.authenticateMember(MemberAuthenticatorImpl.java:87)
at com.ibm.ws.dcs.vri.transportAdapter.rmmImpl.ptpDiscovery.DiscoveryRcv.acceptStream(DiscoveryRcv.java:266)
at com.ibm.rmm.ptl.tchan.receiver.PacketProcessor.fetchStream(PacketProcessor.java:470)
at com.ibm.rmm.ptl.tchan.receiver.PacketProcessor.run(PacketProcessor.java:860)

[rober...@icfconsulting.com]

was6guy,
<p>
When is this problem occurring? Is the error occurring when you are starting up application servers in the cell? Or, is it happening when a server in a foreign cell is trying to communicate with one of your servers?
<p>
If it is occurring during cross cell communication, then you will need to export the LTPA keys from the client cell and import them into the target cell.
<p>
Robert

[joa...@yahoo.de]

I faced the same problem and solved it by setting the following "custom property" of the core group:

IBM_CS_SS_SECURE_TOKEN=false

Don't know if this workaround is security aware or not. But I get rid of the messages.

[sachin...@gmail.com]

just compare the security.xml from Deployement manager and App server
for any diffrence, if it is there just do the syncNode and start the
node agent . Also restart the DM.

[sande...@gmail.com]

Hi guys, thanks for all your responses. Recycling DMGR will fix this issue, but is there any permanent fix for this??

This is happening in our QA env only, prod is fine, any idea?

Thanks!