| Article Number | 000038335 |
| Applies To | RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router |
| Issue | The following events take place:
- Follow the documentation on adding a wildcard certificate Cloud Authentication Service Certificates as a .pem certificate.
- Publish the changes to the Identity Router.
- The keystoreService is stopped, and changes are not published. The Identity Router then goes into a distressed state.
Errors reported in the Identity Router Logs, are as follows:
2019-07-16/13:39:17.679/UTC [ServiceMonitor] WARN com.symplified.service.shared.manager.ServiceMonitor[174] -
Failed to start keystoreService since Tue Jul 16 13:38:06 UTC 2019 (70 seconds), retrying...
com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:64)
at com.symplified.service.shared.manager.ServiceMonitor.startServices(ServiceMonitor.java:119)
at com.symplified.service.shared.manager.ServiceMonitor.run(ServiceMonitor.java:45)
Caused by: com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137)
at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:59)
... 2 more
Caused by: java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.c.oz.engineGenerateCertificates(Unknown Source)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:234)
at com.symplified.service.appliance.keystore.KeystoreService.getCertificatesAndKeyFromCustomer(KeystoreService.java:211)
at com.symplified.service.appliance.keystore.KeystoreService.loadConfig(KeystoreService.java:76)
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:135)
|
| Cause | This issue happens when the .pfx certificate is converted to a .pem certificate using the openssl command. The public certificate chain contains a section with the encrypted private key.
The .pem certificate contains a private key section, which begins with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, as shown here:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG
cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD
VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
...
bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF
BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh
z3P668YfhUbKdRF6S42Cg6zn
-----END PRIVATE KEY-----
|
| Resolution | - Use openssl to convert the .pfx certificate to .pem without including the private key using the command shown here:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
- Extract the private key from a .pfx to a key file and remove the password from the extracted private key:
# openssl pkcs12 -in filename.pfx -nocerts -out server.key -nodes
- Import the certificate, private key, and chain in the Company Settings page in the Cloud Administration Console.
- Publish the changes.
|
| Workaround | As a workaround,
- Manually remove the section for the encrypted private key using a text editor from the .pem files.
- Reapply the certificate on the cloud admin console.
- Publish the changes.
|
on May 27, 2020