000031332 - Unable to view the auto-enrollment certificate pool in RSA Data Protection Manager Server or DPM appliance 3.5.2.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031332
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: Data Protection Manager Server
RSA Version/Condition: 3.5.2.1 and later
 
IssueWhen trying to view the auto-enrollment certificate pool (P12) you may be getting this error:

CertStoreException: Unable to load the PKCS12 KeyStore with the given password

 

This error is caused by non-FIPS compliant P12s which were present in the database prior to an upgrade to DPM Server 3.5.2.1.

 
Resolution
RSA recommends to delete all certificates in the pool (via the GUI) or by deleting all rows from the AUTOREG_KEYSTORE table from the database. The new P12s imported needs to be FIPS compliant.
To delete all P12 from the pool proceed with those steps. This action is irreversible:


su - oracle
sqlplus / as sysdba
delete from local.autoreg_keystore_base;
commit;
exit
exit

 


If you are using OpenSSL to generate your PKCS#12, add the following options:


openssl pkcs12 -export -inkey key.pem -in test.cer -out test.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256

 
Workaround
If this is not possible, set the following JVM option and restart your application server:

 


-Dcom.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE

 
NotesFor more info see RSA Data Protection Manager Appliance Administrators Guide, chapter "Security Considerations", section "Public Key Infrastructure Requirements", subsection "FIPS 140-2 Considerations".

Attachments

    Outcomes