000034951 - Error "Could not generate DH keypair" between the RSA Token Server (RTS) and RSA Data Protection Manager

Document created by RSA Customer Support Employee on Mar 21, 2017Last modified by RSA Customer Support on Jul 2, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034951
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: RSA Token Server
RSA Version/Condition: 1.2.62
IssueThe RSA Token Server (RTS) is unable to connect to the RSA Data Protection Manager (DPM) Appliance. The error below is logged in RTS:

ERROR [kmc.audit] - 1.2.1.6 5.3: Error accessing key by key class name with parameter KeyClassName, javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair, res.cert.serial[0]=123456, res.cert.issuer[0]=CN=DPMClientCertificate
CauseThe RSA DPM 3.5.2.5 appliance now enforces a stronger TLS cipher and the JVM in which the DPM Client runs in RTS is not able to handle the cipher.
ResolutionTo resolve this issue,
  1. Log in as root on the DPM appliance
  2. Generate a new Diffie-Hellman keypair by running the following:


openssl dhparam 1024


  1. Append the output of the command above to the file /opt/certs/serverCertificate, so the file looks something like the following:


-----BEGIN CERTIFICATE-----
[...]
[...]
[...]
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIIBDAKBgQC2KlBvlSn0ZwhVEsMkfHAngjr6tnvEHxgOalADUObmNj3+j/0+GDdi
yTzDmgQ5xaDV1VZI9Hkgik53t1rSnEc3FVGPAh96688/8nJUeAQ6a6KBngMLQu/k
gP96uGlHN6KEDS8IkGzj2m1x956HgtReyD0O6Ti+MinMpi75jOuczQKBgQCoclv8
kp00xvPnHRDU5qhXmQqVHwup7TQ73W3MQUnc8XfTIKIJqkIluB+jFsm8Y8suu40l
0Gi8xeEYVO7KVmnCRvSoKoDGT/NkaprFJP4Gm28pWsGSqyz+4d8Lz8pdHFRi9a1F
uPZP9FPJcvy4UKDM2ZTmLGnfCuaG1XMbtQjKHAICAIA=
-----END DH PARAMETERS-----


  1. Restart Apache:


service httpd restart

Attachments

    Outcomes