This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Announcements
SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
- RSA Community
- :
- Products
- :
- SecurID
- :
- Knowledge Base
- :
- After changes in certificate keystore, Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) c...
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
After changes in certificate keystore, Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) consoles not accessible for RSA Authentication Manager Prime Kit
Article Number
000038968
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager Prime Kit
Platform: Linux
RSA Product/Service Type: RSA Authentication Manager Prime Kit
Platform: Linux
Issue
After change to the certificates keystores of the Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) services, the consoles are not accessible.
The catalina<date>.log for the services (<primekit_installation_directory>/logs/hdap/tomcat-hdap/catalina.yyyy-mm-dd.log for HDAP and <primekit_installation_directory>/logs/ssp/tomcat-ssp/catalina.yyyy-mm-dd.log for SSP) shows the following error:
The catalina<date>.log for the services (<primekit_installation_directory>/logs/hdap/tomcat-hdap/catalina.yyyy-mm-dd.log for HDAP and <primekit_installation_directory>/logs/ssp/tomcat-ssp/catalina.yyyy-mm-dd.log for SSP) shows the following error:
04-Jun-2020 23:51:34.918 SEVERE [main] org.apache.catalina.core.StandardService.initInternal
Failed to initialize connector [Connector[HTTP/1.1-8445]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8445]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:159)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
... 20 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 28 moreCause
The password of the certificate keystore of the affected service is either incorrect, or the keystore is corrupt.
Resolution
To resolve this issue, correct the keystore password in the configuration file of the affected service.
After the saving and closing the relevant file, restart the service for that component for the change to take effect:
RSA Authentication Manager Integration Service
- Log in to RSA Authentication Manager Prime Kit server.
- Go to <Primekit_installation_directory>/configs/amis/tomcat-amis/setenv.sh.
- Make a copy of setenv.sh.
- Open setenv.sh.
- Correct the keystore password in the bolded sections for AMIS.
- Save and close the file.
- Restart services as shown below.
#!/bin/sh # AM PRIME VARIABLES ============================================================= # OPTIONAL TO UPDATE TOMCAT_HTTPS_PORT=8443 export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/amis_keystore_new.jks" export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass='password'" ...
Help Desk Admin Portal
- Log in to RSA Authentication Manager Prime Kit server.
- Go to <Primekit_installation_directory>/configs/hdap/tomcat-hdap/setenv.sh.
- Make a copy of setenv.sh.
- Open setenv.sh.
- Correct the keystore password in the bolded sections for AMIS.
- Save and close the file.
- Restart services as shown below.
#!/bin/sh # AM PRIME VARIABLES ============================================================= # OPTIONAL TO UPDATE TOMCAT_HTTPS_PORT=8445 export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/hdap_keystore_new.jks" export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass=password" ...
Self-Service Portal
- Log in to RSA Authentication Manager Prime Kit server.
- Go to <Primekit_installation_directory>/configs/ssp/tomcat-ssp/setenv.sh.
- Make a copy of setenv.sh.
- Open setenv.sh.
- Correct the keystore password in the bolded sections for AMIS.
- Save and close the file.
- Restart services as shown below.
#!/bin/sh # AM PRIME VARIABLES ============================================================= # OPTIONAL TO UPDATE TOMCAT_HTTPS_PORT=8444 export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/ssp_keystore_new.jks" export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass=password" ...
Restart services
After the saving and closing the relevant file, restart the service for that component for the change to take effect:
service tomcat-amis | tomcat-hdap | tomcat-ssp restart
Notes
Test the password with the keystore before updating the setenv.sh file using keytool.
If the password is incorrect, the output will be as follows:
- Locate the certificate keystore for which you want to test its password. By default it will be in <PrimeKit_installation_directory>certificates.
- Run the following command to test the password:
# /opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks Enter keystore password: <enter the keystore password to test>
If the test is successful, the output will look something like this.
/opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks Enter keystore password: <enter the keystore password to test> Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry hdap, Apr 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): F9:E3:F1:BA:58:C7:CF:CF:7D:60:29:03:89:6C:7C:2D:9E:EB:51:03
If the password is incorrect, the output will be as follows:
/opt/rsa/primekit/java/latest/bin/keytool -list -keystore /opt/rsa/primekit/certificates/hdap_keystore_new.jks
Enter keystore password: <enter the keystore password to test>
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Note
- The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change.
- Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.
Tags (33)
- All Versions
- Any Version
- Break Fix
- Break Fix Issue
- Broken
- CLI
- CLI Issue
- CLI Problem
- Command Line
- Command-Line
- Command-Line Issue
- Console
- Console Issue
- Console Problem
- Customer Support Article
- Every Version
- Issue
- Issues
- KB Article
- Knowledge Article
- Knowledge Base
- Prime
- Prime Offering
- Problem
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Access Prime
- RSA SecurID Suite
- SecurID
- SecurID Access
- SecurID Access Prime
- SecurID Suite
- Version Agnostic
No ratings
