Article Number | 000038335 |
Applies To | RSA Product Set: SecurID Access RSA Product/Service Type: Identity Router |
Issue | The following events take place:
- Follow the documentation on adding a wildcard certificate Cloud Authentication Service Certificates as a .pem certificate.
- Publish the changes to the Identity Router.
- The keystoreService is stopped, and changes are not published. The Identity Router then goes into a distressed state.
Errors reported in the Identity Router Logs, are as follows:
2019-07-16/13:39:17.679/UTC [ServiceMonitor] WARN com.symplified.service.shared.manager.ServiceMonitor[174] - Failed to start keystoreService since Tue Jul 16 13:38:06 UTC 2019 (70 seconds), retrying... com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:64) at com.symplified.service.shared.manager.ServiceMonitor.startServices(ServiceMonitor.java:119) at com.symplified.service.shared.manager.ServiceMonitor.run(ServiceMonitor.java:45) Caused by: com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137) at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:59) ... 2 more Caused by: java.security.cert.CertificateException: Could not generate certificate: at com.rsa.cryptoj.c.oz.engineGenerateCertificates(Unknown Source) at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:234) at com.symplified.service.appliance.keystore.KeystoreService.getCertificatesAndKeyFromCustomer(KeystoreService.java:211) at com.symplified.service.appliance.keystore.KeystoreService.loadConfig(KeystoreService.java:76) at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:135)
|
Cause | This issue happens when the .pfx certificate is converted to a .pem certificate using the openssl command. The public certificate chain contains a section with the encrypted private key.
The .pem certificate contains a private key section, which begins with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, as shown here:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ... bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh z3P668YfhUbKdRF6S42Cg6zn -----END PRIVATE KEY-----
|
Resolution | - Use openssl to convert the .pfx certificate to .pem without including the private key using the command shown here:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
- Extract the private key from a .pfx to a key file and remove the password from the extracted private key:
# openssl pkcs12 -in filename.pfx -nocerts -out server.key -nodes
- Import the certificate, private key, and chain in the Company Settings page in the Cloud Administration Console.
- Publish the changes.
|
Workaround | As a workaround,
- Manually remove the section for the encrypted private key using a text editor from the .pem files.
- Reapply the certificate on the cloud admin console.
- Publish the changes.
|