Skip to main content

AST Trusted Message Sign Error Codes (SubSystem 516)

TMS / DM Interaction (Error Codes 10-19)

SubsystemError CodeHTTP CodeNameDetails
51610409LockedThe TMS is locked by a different client
51611410AlreadyCompleteThe TMS was already in a completed state when trying to complete it
51612410TimeoutThe TMS or Display Message timed out
51613412WrongStateThe TMS is in a wrong state for the requested operation

Signed Data Checks (Error Codes 20-39)

The following error codes are only returned on the respondToTms when sending a signedData, i.e. when the response is ACCEPTED.

Structural Errors (Error Codes 20-29)

SubsystemError CodeHTTP CodeNameDetails
51620400InvalidCmsThe data is no valid PKCS#7 CMS Signed Data structure
51621400MissingSignerInfoThe CMS structure did not contain a signer info
51622400AmbiguousSignerInfoThe CMS structure contained more than one signer info
51623400MissingCertThe CMS structure did not contain a client certificate
51624400AmbiguousCertThe CMS structure contained more than one client certificate
51625400BadKeyThe public key of the client certificate is unsupported
51626400UnsupportedAlgorithmOne of the algorithms used in the signature is unsupported

Validity Errors (Error Codes 30-39)

SubsystemError CodeHTTP CodeNameDetails
51630403BadCertSignatureThe client certificate's signature is invalid
51631403BadCertProfileThe client certificate is no AST_DEVICE certificate
51632403BadCertificationPathThe certification path of the client certificate is invalid
51633403SignedDataMismatchThe signed data does not match the fully expanded TMS message
51634403BadCmsSignatureThe signature of the CMS is invalid
51635403CertOwnerMismatchThe certificate has the SAN extension and the owner there does not match the caller
51636403ReplayThe signed attributes did not match the TMS or caller (signingTime, userId, tmsId, clientId)
51637403CertificateRevokedThe Signer CA that issued the client certificate, or the client certificate itself, has been revoked. Obtain a new certificate before completing the TMS.
51638403ClientCertificateExpiredThe client certificate used to sign the CMS has expired. The client should renew his certificate before retrying to complete the TMS

Additional Information about 516-36 Replay

When responding to the TMS, some fields must be contained in the CMS SignedData, which are used to ensure binding of the response to the correct TMS and to avoid replay of TMS responses. If any of these checks failed, the error 516-36 Replay is returned to indicate that.

The attributes checked are:

  • The standard CMS signingTime attribute (OID 1.2.840.113549.1.9.5)
    • It must be between the retrievedAt field of the TMS (the time the client downloaded the TMS, equal to serverTime in the downloaded TMS) and the current time
  • The TMS ID attribute (OID 1.3.6.1.4.1.14481.109.3.1)
    • It must be equal to the TMS ID the response is sent for
  • The User ID attribute (OID 1.3.6.1.4.1.14481.109.3.2)
    • It must be equal to the User ID (sub claim) in the access token used to send the response
  • The AST Client ID attribute (OID 1.3.6.1.4.1.14481.109.3.3)
    • It must be equal to the AST Client ID (astClientId claim) in the access token used to send the response

The detailed cause of the error is logged by AST TMS on WARN level, so you can look to the logs for details when receiving this error code.

Templating Errors (Error Codes 40-49)

SubsystemError CodeHTTP CodeNameDetails
51640500TemplateExpansionFailedThe expansion of a message template failed

Cryptography Errors (Error Codes 50-59)

SubsystemError CodeHTTP CodeNameDetails
51650500EncryptionErrorEncrypting a response body failed. Details can be found in the message
51651400DecryptionErrorDecrypting a request body failed. Details can be found in the message
51652500DbEncryptionErrorEncrypting a field for the database failed. Details can be found in the message
51653500DbDecryptionErrorEncrypting a field from the database failed . Details can be found in the message

Bad Request Codes (Error Codes 400 and 400x)

SubsystemError CodeHTTP CodeNameDetails
516400400BadRequestAn unspecified Bad Request error. Look for details in the message.
5164001400MissingFieldA required field was missing in the request
5164002400MalformedFieldA field in the request had a wrong format
5164003400MalformedBodyThe request body was malformed and couldn't be parsed

Unauthorized Codes (Error Codes 401 and 401x)

SubsystemError CodeHTTP CodeNameDetails
516401401UnauthorizedThere was a problem authorizing the request, see below for details
5164011401TlsClientAuthMissingmTLS enforcement is enabled and the request did not contain TLS client authentication information. That is, the request did not contain any of the api.security.mTLS.certRequestHeaders, or the header did not contain a certificate

Details about 516-401 Unauthorized

This error code includes cases like

  • The header was missing
  • The token could not be decoded
  • The token is from a different realm than the tenant in the request path
  • The token was expired (exp), not yet valid (nbf) or issued in the future (iat)
  • The token's issuer (iss) did not match the expected value discovered from the IdP
    • This is most likely a realm configuration problem in Keycloak, such as not configuring the "Frontend URL" setting in the realm, which is required in a typical setup
      • Failing to configure the Frontend URL will result in a mismatch between the issuer URL that was discovered by the service inside the cluster, and the issuer in the JWT issued for a client outside the cluster
    • After changing the realm configuration, it is necessary to restart the service in order for it to rediscover the realm configuration
  • The token's audience (aud) didn't include all required values specified in the service config (default: none)
  • The token's signature did not match the public key discovered from the IdP

Forbidden / Bad Token Codes (Error Codes 403 and 403x)

SubsystemError CodeHTTP CodeNameDetails
516403403ForbiddenThe user has no permission to access the resource. The details of the failed authorization are printed in the logs
5164031403MissingUserIdThe user ID (sub claim) is missing in the access token
5164032403MissingClientIdThe AST client ID (astClientId claim) is missing in the access token
5164033403MissingAuthTimeThe authentication time (auth_time claim, fallback iat claim) is missing in the access token
5164034403ExplicitAuthMissingThe required explicit auth scope is missing (only on respondToTms)
5164035403AuthTooOldThe authentication was too far away (required freshness was not met, only on respondToTms)
5164036403SessionKeyNotFoundThe session key with the specified ID wasn't found
5164037403SessionKeyDecryptionFailedThe session key could not be decrypted
5164038403MKexRequiredThe client was required to do mKEX, but no authenticated session key was found

Not Found Codes (Error Codes 404x)

SubsystemError CodeHTTP CodeNameDetails
5164041404TmsNotFoundA TMS with the given ID does not exist
5164042404DisplayMessageNotFoundA display message with the given ID does not exist
5164043404NoMatchingClientsThe filters specified on the TMS or Display Message request didn't match any of the user's clients

OIDC Errors (Error Codes 100x)

SubsystemError CodeHTTP CodeNameDetails
5161000500GeneralErrorAn unexpected error occurred while authenticating the request. See the log for details.
5161001500IssuerNotConfiguredThe OIDC issuer is not configured. This is probably due to misconfiguration of api.security.openidConnect.baseUrl. See the log for details.
5161002404RealmDoesNotExistThe realm corresponding to the tenant ID in the request does not exist in the IDP. See the log for details.
5161003503IdpUnavailableThe IDP could not be reached for OIDC discovery. This may be a temporary error or due to misconfiguration. See the log for details.
5161004502BadResponseThe IDP response could not be parsed. See the log for details.
5161005502UnexpectedErrorThe IDP returned an unexpected error response during OIDC Discovery. See the log for details.
5161006500IssuerMismatchThe issuer URL returned from OIDC Discovery doesn't match the expected one generated from the configuration. This is probably due to realm misconfiguration in the IDP. See the log for details.
5161007500UnsupportedFlowThe OIDC configuration returned from the IDP specified an unsupported flow. This probably due to realm misconfiguration in the IDP. See the log for details.

General Error Codes (Internal Errors)

SubsystemError CodeHTTP CodeNameDetails
516500500InternalErrorAn unexpected error occurred, check for details in the logs
5165001500DbErrorAn unexpected error occurred during a database operation
5165002500KafkaErrorAn unexpected error occurred during a Kafka operation
516503503ServiceUnavailableThe service's availability was disrupted, look for details in the message.

Configuration Errors (Error Codes 500xx)

SubsystemError CodeHTTP CodeNameDetails
51650010500UnknownTopicRoutingKeyAn outbox item with an unknown topic routing key was encountered
51650020500TrustStoreDoesNotExistThe trust store file does not exist
51650021500TrustStoreRequiredA trust store was required for the configured SSL mode, but none was given

Upstream Service Errors (Error Codes 502x)

The following error codes are for failures during requests to upstream services. If the upstream service returns a parseable error response, the parsed error will be returned with a 502 response code. Otherwise, an appropriate 516-502x code is returned

SubsystemError CodeHTTP CodeNameDetails
5165021502UpstreamRequestErrorThe request to an upstream service failed due to a networking error
5165022502UpstreamInvalidResponseThe upstream service returned a successful response that could not be parsed
5165023502UpstreamInvalidErrorResponseThe upstream service returned an error response that could not be parsed
Upstream SubsystemUpstream Error502determined by upstreamThe upstream service returned an error response that could be parsed to a ServiceError