000011555 - verify tool fails to validate keys with error 'KMS Server connection failed : Certificate unknown'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011555
Applies ToRSA Key Manager Server 2.0.x
RSA Key Manager Client 1.5.x
RSA Key Manager Server Migration Utility 2.7.1.1
Issueverify tool fails to validate keys with error "KMS Server connection failed : Certificate unknown"
How to include the correct CA certificate for trust in an existing PKCS#12
RKM Server Migration Utility's verify tool fails to verify keys with error "KMS Server connection failed : Certificate unknown" due to not trusting RKM Server webserver(s) certificate(s).
The following error is logged in migrate.log:

2011-09-12 17:34:24,467 INFO main - NO LOG MESSAGE
com.rsa.keymanager.sandpiper.engine.verify.KeyNotObtainedException: Cannot obtain a key from server for Key Class [mykeyclass Key Id [1234567890].
 at com.rsa.keymanager.sandpiper.engine.verify.LegacyCryptoMaster.getKey(LegacyCryptoMaster.java:58)
 at com.rsa.keymanager.sandpiper.engine.verify.LegacyCryptoMaster.encrypt(LegacyCryptoMaster.java:29)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultXRayMachine.encrypt(DefaultXRayMachine.java:76)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultXRayMachine.canEncrypt(DefaultXRayMachine.java:26)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.verify(DefaultAirTrafficController.java:83)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.checkPaper(DefaultAirTrafficController.java:59)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.checkPapers(DefaultAirTrafficController.java:51)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultAirTrafficController.verify(DefaultAirTrafficController.java:42)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultVerificationRunner.go(DefaultVerificationRunner.java:16)
 at com.rsa.keymanager.sandpiper.engine.main.DefaultMasterRunner.doRun(DefaultMasterRunner.java:34)
 at com.rsa.keymanager.sandpiper.engine.main.DefaultMasterRunner.run(DefaultMasterRunner.java:24)
 at com.rsa.keymanager.sandpiper.engine.migrate.DefaultSandpiper.run(DefaultSandpiper.java:46)
 at com.rsa.keymanager.sandpiper.engine.migrate.DefaultSandpiper.launch(DefaultSandpiper.java:24)
 at com.rsa.keymanager.sandpiper.engine.main.Main.main(Main.java:48)
Caused by: edge.com.rsa.kmclient.KMSException: com.rsa.kmclient.KMSException: Unable to get a vaild key from KMS Server: Unable to connect to KMS Server after 3 retries : KMS Server connection failed : Certificate unknown
 at edge.com.rsa.kmclient.DefaultKMClient.getKey(DefaultKMClient.java:31)
 at com.rsa.keymanager.sandpiper.engine.verify.DefaultLegacyKeyManagerClient.getKey(DefaultLegacyKeyManagerClient.java:26)
 at com.rsa.keymanager.sandpiper.engine.verify.LegacyCryptoMaster.getKey(LegacyCryptoMaster.java:54)
 ... 13 more
Caused by: com.rsa.kmclient.KMSException: Unable to get a vaild key from KMS Server: Unable to connect to KMS Server after 3 retries : KMS Server connection failed : Certificate unknown

 at com.rsa.kmclient.KMClient.getKey(Unknown Source)
 at edge.com.rsa.kmclient.DefaultKMClient.getKey(DefaultKMClient.java:28)
 ... 15 more
2011-09-12 17:34:24,469 INFO main - Client : Internal, Failed to verify Key Id '1234567890' in Key Class 'mykeyclass
CauseThe PKCS#12 file used by verify tool contained client certificate and its issuer CA (say ClientRootCA) certificate.  The webserver's CA certificate (say RootCAold) for the old RKM Server or the webserver's CA certificate (say RootCAnew) for the migrated/new RKM Server were not trusted or included in the PKCS#12 file used by verify tool.  RKM Client 1.5.x used by the verify tool requires trusting the correct RKM Server's webserver CA certificate to be able to establish HTTPS connection.  The migration tool assumes that during the upgrade process, the new webserver would use an SSL server certificate issued by the same CA as that for the old webserver (otherwise all RKM Client applications MUST trust the new CA which may not be feasible if there were hundred of those apps).

Notes:
- The verify tool uses RKM Client 1.5.x for validating keys when migrating from RKM Server version 2.0.x.
- RKM Client 1.5.x can only use a single CA certificate even if there are multiple CA certificates in the PKCS#12, and the CA certificate in the PKCS#12 must be the issuing CA certificate that signed the RKM Server webserver SSL server certificate.
ResolutionUpdate the PKCS#12 used by verify tool to include/trust the CA certificates for old RKM Server and migrated/new RKM Server webserver server SSL certificates.  When webserver SSL server certificates are chained to different CA's for the old RKM Server versus the new RKM Server, separate PKCS#12 files must be created for verify tool to successfully validate migrated keys. Use the following steps and OPENSSL commands to update the existing PKCS#12:

1. Save the two CA certificates that signed the two webserver SSL server certificates (for old RKM Server and migrated/new RKM Server) into two separate files in PEM format.  Say the two files are RootCAold.pem and RootCAnew.pem corresponding to the two CA certificates.

2. Use OPENSSL to dump ONLY the client certificate and key from the existing PKCS#12 to a temp file (use the original password for p12 on all prompts):
     C:\...\OpenSSL>openssl pkcs12 -clcerts -in RKMClientCertKey.p12 -out RKMClientCertKeyONLY.pem

3. Use OPENSSL to create a new PKCS#12 (RKMClientCertKeySource.p12) containing the client certificate/key and the old RKM Server's CA certificate (RootCAold.pem)... use the original password for p12 on all prompt:
     C:\...\OpenSSL> openssl pkcs12 -export -in RKMClientCertKeyONLY.pem -out RKMClientCertKeySource.p12 -certfile RootCAold.pem

4. Similar to the previous step, use OPENSSL to create another PKCS#12 (RKMClientCertKeyTarget.p12) containing the client certificate/key and the new RKM Server's CA certificate (RootCAnew.pem)... use the original password for p12 on all prompt:
     C:\...\OpenSSL> openssl pkcs12 -export -in RKMClientCertKeyONLY.pem -out RKMClientCertKeyTarget.p12 -certfile RootCAnew.pem

5. Update input/source.cfg and configure kms.sslPKCS12File to point to RKMClientCertKeySource.p12 (this file contains the client cert/key and only RootCAold.pem)

6. Similarly update input/target.cfg and configure kms.sslPKCS12File to point to RKMClientCertKeyTarget.p12 (this file contains the client cert/key and only RootCAnew.pem)

7. Run the verify tool again, it should successfully validate the keys as HTTPS connection to both old and new RKM Servers should be successful.
NotesKMSRV-1902
Legacy Article IDa55867

Attachments

    Outcomes