000034562 - "Error loading KeyStore" error with RTS while replacing DPM client certificate

Document created by RSA Customer Support Employee on Dec 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034562
Applies ToRSA Product Set: RSA Token Server (RTS) Appliance
RSA Version/Condition: 1.2.63
 
Issue
The following error may show up when replacing the Data Protection Manager client certificate in RTS version 1.2.63 (or lower, unconfirmed yet).
 

2016-12-14 20:48:46,309 ERROR [com.rsa.token.mvc.controller.SomController] - 12/14/2016 20:48:46.309 EST, 
messageId=78814,SOM_SERVER_INIT_ERROR,Server init failed with the message - [Error loading KeyStore]
CauseRTS uses a DPM client that does not support PKCS#12 where the  PKCS#7 Encrypted data and Shrouded keybags are encrypted with AES-256. To verify, use OpenSSL to look at the PKCS#12 details:
 
$ openssl pkcs12 -in clientv2_full_sha256.p12 -nokeys -info -nocerts
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA1
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA1

In the example above we can see "AES-256-CBC", which is what is not supported.
WorkaroundRe-encode your PKCS#12 using SHA1-3DES by using the -certpbe and -keypbe options:
1. Export the CA chain from your PKCS#12:
openssl pkcs12 -in client.p12 -out chain.pem -nokeys -cacerts

2. Export the client certificate from your PKCS#12:
openssl pkcs12 -in client.p12 -out client.cer -nokeys -clcerts

3. Export the private key from your PKCS#12:
openssl pkcs12 -in client.p12 -out client.key -nocerts -aes256

4. Rebuild a new PKCS#12:
openssl pkcs12 -export -in client.cer -certfile chain.pem -inkey client.key -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out new_client.p12

 

Attachments

    Outcomes