Article Number
000038968
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager Prime Kit
Platform: Linux
Issue
After change to the certificates keystores of the Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) services, the consoles are not accessible.
The catalina<date>.log for the services (<primekit_installation_directory>/logs/hdap/tomcat-hdap/catalina.yyyy-mm-dd.log for HDAP and <primekit_installation_directory>/logs/ssp/tomcat-ssp/catalina.yyyy-mm-dd.log for SSP) shows the following error:
04-Jun-2020 23:51:34.918 SEVERE [main] org.apache.catalina.core.StandardService.initInternal
Failed to initialize connector [Connector[HTTP/1.1-8445]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8445]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:159)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
... 20 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 28 more
Cause
The password of the certificate keystore of the affected service is either incorrect, or the keystore is corrupt.
Resolution
To resolve this issue, correct the keystore password in the configuration file of the affected service.
RSA Authentication Manager Integration Service
- Log in to RSA Authentication Manager Prime Kit server.
- Go to <Primekit_installation_directory>/configs/amis/tomcat-amis/setenv.sh.
- Make a copy of setenv.sh.
- Open setenv.sh.
- Correct the keystore password in the bolded sections for AMIS.
- Save and close the file.
- Restart services as shown below.
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8443
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/amis_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass='password'"
...
Help Desk Admin Portal
- Log in to RSA Authentication Manager Prime Kit server.
- Go to <Primekit_installation_directory>/configs/hdap/tomcat-hdap/setenv.sh.
- Make a copy of setenv.sh.
- Open setenv.sh.
- Correct the keystore password in the bolded sections for AMIS.
- Save and close the file.
- Restart services as shown below.
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8445
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/hdap_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass=password"
...
Self-Service Portal
- Log in to RSA Authentication Manager Prime Kit server.
- Go to <Primekit_installation_directory>/configs/ssp/tomcat-ssp/setenv.sh.
- Make a copy of setenv.sh.
- Open setenv.sh.
- Correct the keystore password in the bolded sections for AMIS.
- Save and close the file.
- Restart services as shown below.
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8444
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/ssp_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass=password"
...
Restart services
After the saving and closing the relevant file, restart the service for that component for the change to take effect:
service tomcat-amis | tomcat-hdap | tomcat-ssp restart
Notes
Test the password with the keystore before updating the setenv.sh file using keytool.
- Locate the certificate keystore for which you want to test its password. By default it will be in <PrimeKit_installation_directory>certificates.
- Run the following command to test the password:
# /opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
If the test is successful, the output will look something like this.
/opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
hdap, Apr 5, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): F9:E3:F1:BA:58:C7:CF:CF:7D:60:29:03:89:6C:7C:2D:9E:EB:51:03
If the password is incorrect, the output will be as follows:
/opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Note
- The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change.
- Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.