000038840 - KeyUsage does not allow digital signatures error when using test connection with LDAPS from RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on May 26, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038840
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThe test connection to RSA Authentication Manager fails while configuring LDAPS with the following error:
 
KeyUsage does not allow digital signatures
CauseThe /opt/rsa/am/server/logs/imsTrace.log shows that a field Key Usage has been created and added value of Data Encipherment (20) which is causing the test connection to fail. 
 
2020-04-09 11:48:47,652, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, 2k8r2-dc1.2k8r2-vcloud.local,,,,LDAP Server connection test failed
javax.naming.CommunicationException: 10.232.0.195:636 [Root exception is javax.net.ssl.SSLException: Certificate not verified.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)


at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:70)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:1)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aI.b(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.ap.c(Unknown Source)
at com.rsa.sslj.x.ap.a(Unknown Source)
at com.rsa.sslj.x.ap.j(Unknown Source)
at com.rsa.sslj.x.ap.i(Unknown Source)
at com.rsa.sslj.x.ap.h(Unknown Source)
at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:393)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
... 18 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)


... 28 more
Caused by: java.security.cert.CertificateException: KeyUsage does not allow digital signatures


at com.rsa.sslj.x.ck.checkServerTrusted(Unknown Source)
at com.rsa.sslj.x.aF.a(Unknown Source)


... 31 more
ResolutionRemove the key usage field from the certificate or add the digital signature to it, along with Data Encipherment to resolve the issue. FOllow the steps below:
  1. Review the certificate and under the Details tab, check the Key Usage attribute.

Certificate chain


  1. The certificate should be generated to include Digital Signature which was missing in the LDAPS certificate. 
  2. Reissue the certificate with Digital Certificate Signature included in the Key Usage field. It can now be imported into the RSA Authentication Manager Operations Console.
  3. LDAPS test connection over port 636 works as expected.

Attachments

    Outcomes