How to solve the Error "Signature Validation Failed. The token's kid is missing. Unable to match keys: kid: '[PII is hidden]', token: '[PII is hidden]'"
Summary
This article addresses the "Signature Validation Failed" error found in ETW logs when using Opcenter Execution Foundation. This authentication token error may appear when executing specific product commands in a distributed scenario.
Details
The "Signature Validation Failed" error typically occurs because the JSON Web Token (JWT) is either improperly signed or the server cannot recognize the signing key, resulting in authentication failures. This often happens when the signing key used to generate the JWT is not the same as the one used to validate the token on the server-side.
Possible error codes include IDX10517, IDX10503, and IDX10501.
A possible cause for this issue could be that the token used to invoke the command has been signed with a key different from the one present in the Worker/Service Layer. In distributed scenarios, mismatched keys can occur due to governance misalignment between nodes or the use of X.509 certificates.
Here below are the steps to solve the issue:
1) Check Opcenter Execution Foundation Certificate:
- Verify the JWT configuration, including the signing key. In detail, inspect certificates at Certificates - Local Computer -> Personal -> Certificates.
- Ensure that the KeyID is consistent across all hosts, focusing on the "Authority Key Identifier" in the certificate's Details tab.
2) Align Certificates:
- If the KeyID is not consistent (e.g., only the Engineering Host is updated), ensure all Runtime Hosts match the new configuration.
- Open the Opcenter EX FN Configuration tool on misaligned hosts and select the "Align Host" card.
Note that changes on the Engineering Host require alignment on all Runtime Hosts.
In a distributed environment with Opcenter Execution Foundation, it is crucial to manage certificates correctly to ensure secure communication between components. The certificate key should be consistent across all distributed components to maintain a secure and trusted setup.
3) Ask for Additional Support:
- If this KB article does not resolve, open a case in the Support Center and attach the following information, collected from all nodes:
- Contents from C:\ProgramData\Siemens\SimaticIT\Unified\Deploy\Governance folder
- Opcenter Execution Foundation Certificates from Certificates - Local Computer -> Personal -> Certificates
- Unfiltered ETW logs with default level set to verbose.