000014277 - RKM Java Client 1.5.x: Certificate unknown

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014277
Applies ToRSA Key Manager Client 1.5.x
Java
IssueRKM: The identity of the request could not be established
RSA Key Manager Client 1.5.x debug output shows "com.rsa.kmclient.KMClient : getKeyFromServer: KMS connect failed : KMS Server connection failed : Certificate unknown"

e.g.
com.rsa.kmclient.KMSConnection : Connect start
com.rsa.kmclient.KMSConnection : Set SSLParams
com.rsa.kmclient.KMSConnection : Seeded PRNG
com.rsa.kmclient.KMSConnection : Added CA Certificate to SSL Params
com.rsa.kmclient.KMSConnection : Cert chain level : 1
com.rsa.kmclient.KMSConnection : Connection step1
com.rsa.kmclient.KMSConnection : Connection step2
com.rsa.kmclient.KMSConnection : Connection step3
com.rsa.kmclient.KMSConnection : Connection step4
com.rsa.kmclient.KMSConnection : Time took to connect to KMS Server : 23 millisec
com.rsa.kmclient.KMSConnection : Connection step5
com.rsa.kmclient.KMSConnection : Time took to error out of KMS Server : 109 millisec
com.rsa.kmclient.KMSConnection : KMS Server connection failed . error : Certificate unknown
com.rsa.ssl.AlertedException: Certificate unknown
        at com.rsa.ssl.common.ClientProtocol.sendHello(Unknown Source)
        at com.rsa.ssl.common.ClientProtocol.startHandshake(Unknown Source)
        at com.rsa.ssl.SSLSocket.getInputStream(Unknown Source)
        at com.rsa.kmclient.KMSConnection.connect(Unknown Source)
        at com.rsa.kmclient.KMClient.b(Unknown Source)
        at com.rsa.kmclient.KMClient.getKey(Unknown Source)
        at GetKeyNoKeyID.main(GetKeyNoKeyID.java:52)
com.rsa.kmclient.KMClient : getKeyFromServer: KMS connect failed : KMS Server connection failed : Certificate unknown
com.rsa.kmclient.KMSException: KMS Server connection failed : Certificate unknown
        at com.rsa.kmclient.KMSConnection.connect(Unknown Source)
        at com.rsa.kmclient.KMClient.b(Unknown Source)
        at com.rsa.kmclient.KMClient.getKey(Unknown Source)
        at GetKeyNoKeyID.main(GetKeyNoKeyID.java:52)
CauseThe SSL handshake fails because the client does not trust the server certificate.

RKM Java Client 1.5.x will trust the root certificate that is provided in the PKCS #12 file, and use that to verify the server certificate.  (RKM 1.5.x C Client and RKM 1.5.x Java Client have some differences in behavior, so the C client works even if the PKCS #12 file does not contain the server's CA certificate.)
ResolutionCreate a new PKCS #12 file that contains the server's CA certificate (it does not need to contain the client's CA certificate).  The server's CA certificate can be accessed by using a Web browser to browse to the Web server using https://, and clicking on the lock icon to display the server certificate chain.  The server's CA certificate should be a self-signed certificate.
Legacy Article IDa44713

Attachments

    Outcomes