|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
Your password is incorrect. Correct your password, and try again.
GUILog.traceException(587) | exception:
keytool error: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
|Cause||We have seen this behavior mostly with Entrust or Entrust/Venafi certificates. An RSA console-generated Certificate Signing Request (CSR) also generates a public/private key pair and includes only the public key. The private key never leaves the RSA console keystore. The Certificate Authority (CA) response certificate will typically be in PKCS#7 format (i. e., either with a .cer or .p7b file extension). It will not include the private key and will not be password protected.|
If a third-party tool generates the CSR, it will also generate the public/private key pair, and the CA response certificate will typically be in a PKCS#12 format, with either a .pfx or .p12 file extension. It will be password-protected, because it also includes the private key.
It appears that in this case, the Entrust/Venafi certificate response used an RC2 algorithm to password-protect either the certificate file itself or the private key within the .pfx certificate file.
The Authentication Manager Operations Console flagged this as an incorrect password, but the /opt/rsa/am/server/logs/ops-console.log and keytool flagged it with the following error:
Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
The /opt/rsa/am/server/logs/imsTrace.log will show this error:
com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: MacData.MacData: MAC Verification failed
|Resolution||Since RC2 is not FIPS-compliant, Entrust or another third-party CA must use another algorithm that is FIPS-compliant.|
|Workaround||Import this PKCS#12 formatted certificate response file into another tool such as OpenSSL and export it with a password with 3DES or another algorithm that is FIPS 140-2 compliant, such as AES. One can use OpenSSL that comes in the Authentication Manager installation to do this.|
openssl pkcs12 -in <PKCS#12_filename> -out <encrypted_PEM_filename>
rsaadmin@am81p:~> ls /tmp/vmrsa*
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <path to .pem file and file name> -out >path to .pfx file and file name> -name "<machine_name>"
rsaadmin@am81p:~> openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in /tmp/vmrsa01.pem -out /tmp/vmrsa01pbe.pfx -name "vmrsa01-2016"
rsaadmin@am81p:~> openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <encrypted_PEM_filename> -out <PKCS#12_filename> -name "<display_name>"
|Notes||The error message "This certificate or its signing CA is not valid" could indicate that the imported certificate response is not for this particular server, possibly because the fully qualified domain name (FQDN) of the Authentication Manager server should match the Common Name (CN) within the subject field of the certificate response, as shown here:|
The error could also indicate the private key is not in the PKCS#12 file or also that a private key is included in a PKCS#7 certificate response file when it is not expected to be there.