000038335 - Identity router (IDR) becomes distressed after adding and publishing new wildcard certificate in RSA SecurID Access

Document created by RSA Customer Support Employee on May 27, 2020Last modified by RSA Customer Support Employee on May 29, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000038335
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
IssueThe following events take place:
  1. Follow the documentation on adding a wildcard certificate Cloud Authentication Service Certificates as a .pem certificate.
  2. Publish the changes to the Identity Router.
  3. The keystoreService is stopped, and changes are not published. The Identity Router then goes into a distressed state.

Errors reported in the Identity Router Logs, are as follows:


2019-07-16/13:39:17.679/UTC [ServiceMonitor] WARN com.symplified.service.shared.manager.ServiceMonitor[174] -
Failed to start keystoreService since Tue Jul 16 13:38:06 UTC 2019 (70 seconds), retrying...
com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:64)
at com.symplified.service.shared.manager.ServiceMonitor.startServices(ServiceMonitor.java:119)
at com.symplified.service.shared.manager.ServiceMonitor.run(ServiceMonitor.java:45)
Caused by: com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137)
at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:59)
... 2 more
Caused by: java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.c.oz.engineGenerateCertificates(Unknown Source)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:234)
at com.symplified.service.appliance.keystore.KeystoreService.getCertificatesAndKeyFromCustomer(KeystoreService.java:211)
at com.symplified.service.appliance.keystore.KeystoreService.loadConfig(KeystoreService.java:76)
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:135)
CauseThis issue happens when the .pfx certificate is converted to a .pem certificate using the openssl command. The public certificate chain contains a section with the encrypted private key.

The .pem certificate contains a private key section, which begins with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, as shown here:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG
cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD
VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
...
bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF
BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh
z3P668YfhUbKdRF6S42Cg6zn
-----END PRIVATE KEY-----



 
Resolution
  1. Use openssl to convert the .pfx certificate to .pem without including the private key using the command shown here:


# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem


  1. Extract the private key from a .pfx to a key file and remove the password from the extracted private key:


# openssl pkcs12 -in filename.pfx -nocerts -out server.key -nodes


  1. Import the certificate, private key, and chain in the Company Settings page in the Cloud Administration Console.
  2. Publish the changes.

 



 



 
WorkaroundAs a workaround,
  1. Manually remove the section for the encrypted private key using a text editor from the .pem files.
  2. Reapply the certificate on the cloud admin console.
  3. Publish the changes.

Attachments

    Outcomes