|Applies To||RSA Product Set: Data Protection Manager|
RSA Product/Service Type: Data Protection Manager Server
RSA Version/Condition: 220.127.116.11 and later
|Issue||When trying to view the auto-enrollment certificate pool (P12) you may be getting this error:|
CertStoreException: Unable to load the PKCS12 KeyStore with the given password
This error is caused by non-FIPS compliant P12s which were present in the database prior to an upgrade to DPM Server 18.104.22.168.
RSA recommends to delete all certificates in the pool (via the GUI) or by deleting all rows from the AUTOREG_KEYSTORE table from the database. The new P12s imported needs to be FIPS compliant.
To delete all P12 from the pool proceed with those steps. This action is irreversible:
su - oracle
If you are using OpenSSL to generate your PKCS#12, add the following options:
openssl pkcs12 -export -inkey key.pem -in test.cer -out test.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
If this is not possible, set the following JVM option and restart your application server:
|Notes||For more info see RSA Data Protection Manager Appliance Administrators Guide, chapter "Security Considerations", section "Public Key Infrastructure Requirements", subsection "FIPS 140-2 Considerations".|