SecurID^® Discussions

RodrigoHerrera1 · ‎2018-02-02

Hi... we've SecurID 8.2 SP1 patch 7, SDK 8.2 SP1 for java, Tomcat 8, Java 1.8 an we did import Securid CA certificate into tomcat kestore and set the -Djavax.net.ssl.trustStore parameter. So, we try connect our API, but the system return:

javax.net.ssl.SSLException: Certificate not verified.

After debug catalina, the detailed error is:

Certificate validation failed with message: Parameters must be PKIXParameters or be CertPathWithOCSPParameters containing PKIXOParameters.

Can any some idea about them?

Thanks.

OmarAllam · ‎2018-02-05

Hello Rodrigo,

Make sure that you imported the root certificate not the server certificate inside tomcat keystore (check below steps)

Launch Internet Explorer, and go to the following URL: https://server_name:7002. The Error 404 page appears.
Right click anywhere on the Error 404 page and select Properties.
In the Properties dialog box, click Certificates.
In the Certificate dialog box, select the Certification Path tab.
Click the top item in the certificate path.
Click View Certificate.
In the Certificate dialog box, click the Details tab.
Click Copy to File.
On the Certificate Export Wizard page, click Next.
On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
On the File to Export page, click Browse.
Browse to a location to store the root certificate, enter am_root.cer in the File name field, make sure that Save as type is DER Encoded Binary X.509(*.cer), and click Save.
On the File to Export page, click Next.
On the Completing the Certificate Export page, click Finish.
Click OK.

If you are using SSL EJB connection, make sure you use the below Java system properties in the Java command line:

-Dweblogic.security.SSL.trustedCAKeyStore=SDK_HOME/lib/java/trust.jks

For SSL SOAP Connection, please check below:

-Djavax.net.ssl.trustStore=SDK_HOME/lib/java/trust.jks

Thanks,

Best regards.

Omar Allam

RodrigoHerrera1 · ‎2018-02-05

Hi Omar...

We did import the root certificate ( the debug show negotiation with them). And we change the java_opts to include -Djavax.net.ssl.trustStore (our app server is Tomcat).

Any idea?

Thanks.

OmarAllam · ‎2018-02-05

Hello Rodrigo,

Run the below command from the location where you have the keystore to list the certificate and confirm that the certificate inside the keystore has the same fingerprint that on the AM root certificate.

keytool -list -keystore <XXX>.jks

Thanks,

Best regards.

Omar Allam

PiersB · ‎2018-02-06

You might also run some tests starting the Tomcat server with "-Djavax.net.debug=all". Alternatively, you could limit the output by using "ssl:trustmanager" in place of "all".

Some other options are available in the JSSE Reference Guide - Debugging Utilities

RodrigoHerrera1 · ‎2018-02-06

Hello Piers...

I did it, and after reinstall java (no make changes into security

providers) this work now.

But the authentication API need changes into security providers.

Looks like incompatibility beeteewn FIPS and not FIPS.

Some one have this issue?

Thanks.

SecurID® Discussions

Securid SDK 8.2 Bad Certificate

SecurID^® Discussions