Incompatibility with Encoding of Private Key causes various issues on an RSA SecurID Access Identity Router running SLES12 SP5
Originally Published: 2021-02-23
Article Number
Applies To
RSA Product/Service Type: Cloud Authentication Service
RSA Version/Condition: Identity Router running SLES12 SP5
Issue
- The identity router's setup page does not load.
- The Application Portal does not load.
- Authenticating to resources integrated with Authentication Manager using the Authenticate Tokencode fails when the following integration is used: Enable RSA Authenticate App Users to Access Resources Protected by RSA Authentication Manager.
- RADIUS authentication fails with the following error in the radius.log of the identity router log bundle:
ERROR: (0) via: ERROR: Failed to get the handle.
ERROR: (0) via: ERROR: Rest authenticate call failed!
AND
The following message is seen in the identity router's symplified.log after publishing changes in the Cloud Administration Console with the identity router in debug mode:
[ServiceMonitor] DEBUG com.symplified.platform.linux.LinuxCmd[128] - Linux command returned response: LinuxCommandResponse [exitCode=0, output=Importing customer certs to NSS DB..
unable to load private key
140651206968976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
Task completed.
, error=null, timeout=false]Cause
Resolution
Notes
The radius.log and symplified.log can be viewed by:
- Access the IDR through SSH (Access SSH for Identity Router Troubleshooting)
- Run the following command to generate a log bundle on the identity router: bundlelogs
- Copy the log bundle off of the identity router and then view the two log files:
- /var/log/radius/radius.log
- /var/log/symplified/symplified.log
The identity router has the "iconv" encoding conversion utility on it. To use this utility to convert the private key, the following can be done:
- Copy the private key to the IDR's /tmp directory.
- SSH to the IDR.
- Gain root access on the IDR. (For steps on how to do this, Contact RSA Support)
- Run the following command:
- iconv -c -f UTF8 -t ASCII /tmp/<original_private.key> -o /tmp/<converted_private.key>
- Copy the converted private key off of the IDR and delete the private key files from the IDR's /tmp directory.
Related Articles
Error during migration: Error: Failed to massage migrated data org.postgresql.util.PSQLException: ERROR: update or delete… Number of Views Manually applying the definition files to ClamAV for RSA Authentication Manager 8.x Number of Views Windows Agent failing to authenticate local Group Membership with 30 Secs timeout Number of Views RSA Authentication Manager 8.2 SP1 system log shows error message: Message Key manager limit reached when using the RSA … Number of Views RSA Authentication Manager 8.1 SP 1 patch 1 backups to a Windows Shared Folder are failing after software upgrade Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
