000034951 - Error "Could not generate DH keypair" between RTS and RSA Data Protection Manager

Document created by RSA Customer Support Employee on Mar 21, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034951
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: RSA Token Server
RSA Version/Condition: 1.2.62
IssueRTS unable to connect to DPM Appliance, getting the following error logged in RTS:
 
ERROR [kmc.audit] - 1.2.1.6 5.3: Error accessing key by key class name with parameter KeyClassName, javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair, res.cert.serial[0]=123456, res.cert.issuer[0]=CN=DPMClientCertificate

 
CauseRSA DPM appliance 3.5.2.5 now uses enforces stronger TLS cipher and the JVM in which the DPM Client runs in RTS iss not able to handle the cipher.
Resolution
  1. Log in as root on the DPM appliance
  2. Generate a new Diffie-Hellman keypair by running
openssl dhparam 1024

  1. Append the output of the command above to the file /opt/certs/serverCertificate, so the file looks something like the following:
-----BEGIN CERTIFICATE-----
[...]
[...]
[...]
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIIBDAKBgQC2KlBvlSn0ZwhVEsMkfHAngjr6tnvEHxgOalADUObmNj3+j/0+GDdi
yTzDmgQ5xaDV1VZI9Hkgik53t1rSnEc3FVGPAh96688/8nJUeAQ6a6KBngMLQu/k
gP96uGlHN6KEDS8IkGzj2m1x956HgtReyD0O6Ti+MinMpi75jOuczQKBgQCoclv8
kp00xvPnHRDU5qhXmQqVHwup7TQ73W3MQUnc8XfTIKIJqkIluB+jFsm8Y8suu40l
0Gi8xeEYVO7KVmnCRvSoKoDGT/NkaprFJP4Gm28pWsGSqyz+4d8Lz8pdHFRi9a1F
uPZP9FPJcvy4UKDM2ZTmLGnfCuaG1XMbtQjKHAICAIA=
-----END DH PARAMETERS-----

  1. Restart Apache by running
service httpd restart


 

Attachments

    Outcomes