fortifyclient token -gettoken

One of our developers gets the error from fortifyclient when he tried to get an AnalysisUploadToken with the command line.

fortifyclient -url [http://ourSSCurl] -user [username] token -gettoken AnalysisUploadToken

Enter Password:

Enter Password:

Invalid timestamp The security semantics of the message have expired.

However, when I tested it I could successfully get the token.

He is in Europe and my office and SSC server are in Canada.

Is this about time difference? Please advise how to resolve this.

Thank you.

  • Time zone doesn't matter, but the UTC time on both server and client has to be within around 5 minutes of each other. I suggest checking that the times on both sides are accurate; NTP is recommended.

  • Thank you for your reply.

    I checked the time on the server and it seems correct and the developer said the time on his pc is correct as well.

    Is there any way that I can check it on the ssc log or somewhere?

  • You could check the recent output in the ssc.log or ssc_audit.log to make sure the time is close if you don't have other access to that machine. You can trigger an event to be logged by logging into SSC.

    Or, you could add -debug onto your fortifyclient command on a machine where fortifyclient is working, and search for "wsu:Created"; this should yield the time that response was served per the SSC host's time.

    Adding -debug onto the fortifyclient command on the machine that isn't working and searching again for "wsu:Created" will yield the time that machine created the request, and "wsu:Expires" will show the time after which that message should be rejected by the server.

    Both server and client date times should be in UTC and within 5 minutes of each other to allow this API to function.

    -Josh