After changes in certificate keystore, Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) consoles not accessible for RSA Authentication Manager Prime Kit
3 years ago
Originally Published: 2020-06-04
Article Number
000044650
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager Prime Kit
Platform: Linux
Issue
After change to the certificates keystores of the Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) services, the consoles are not accessible.

The catalina<date>.log for the services (<primekit_installation_directory>/logs/hdap/tomcat-hdap/catalina.yyyy-mm-dd.log for HDAP and <primekit_installation_directory>/logs/ssp/tomcat-ssp/catalina.yyyy-mm-dd.log for SSP) shows the following error: 
04-Jun-2020 23:51:34.918 SEVERE [main] org.apache.catalina.core.StandardService.initInternal 
Failed to initialize connector [Connector[HTTP/1.1-8445]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8445]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        ... 13 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:159)
        at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
        ... 20 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
        ... 28 more
Cause
The password of the certificate keystore of the affected service is either incorrect, or the keystore is corrupt. 
Resolution
To resolve this issue, correct the keystore password in the configuration file of the affected service.

RSA Authentication Manager Integration Service

  1. Log in to RSA Authentication Manager Prime Kit server.
  2. Go to <Primekit_installation_directory>/configs/amis/tomcat-amis/setenv.sh.
  3. Make a copy of setenv.sh.
  4. Open setenv.sh.
  5. Correct the keystore password in the bolded sections for AMIS.
  6. Save and close the file.
  7. Restart services as shown below.
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8443
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/amis_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass='password'"
...


Help Desk Admin Portal

  1. Log in to RSA Authentication Manager Prime Kit server.
  2. Go to <Primekit_installation_directory>/configs/hdap/tomcat-hdap/setenv.sh.
  3. Make a copy of setenv.sh.
  4. Open setenv.sh.
  5. Correct the keystore password in the bolded sections for AMIS.
  6. Save and close the file.
  7. Restart services as shown below.
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8445
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/hdap_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass=password"
...


Self-Service Portal

  1. Log in to RSA Authentication Manager Prime Kit server.
  2. Go to <Primekit_installation_directory>/configs/ssp/tomcat-ssp/setenv.sh.
  3. Make a copy of setenv.sh.
  4. Open setenv.sh.
  5. Correct the keystore password in the bolded sections for AMIS.
  6. Save and close the file.
  7. Restart services as shown below.
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8444
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/ssp_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass=password"
...


Restart services

After the saving and closing the relevant file, restart the service for that component for the change to take effect: 
service tomcat-amis | tomcat-hdap | tomcat-ssp restart
Notes
Test the password with the keystore before updating the setenv.sh file using keytool. 
  1. Locate the certificate keystore for which you want to test its password. By default it will be in <PrimeKit_installation_directory>certificates.
  2. Run the following command to test the password: 
    # /opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
If the test is successful, the output will look something like this. 
/opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

hdap, Apr 5, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): F9:E3:F1:BA:58:C7:CF:CF:7D:60:29:03:89:6C:7C:2D:9E:EB:51:03

If the password is incorrect, the output will be as follows:
/opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
 

Note

  • The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change. 
  • Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.

Related Articles

Trending Articles

Don't see what you're looking for?