This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Incompatibility with Encoding of Private Key causes various issues on an RSA SecurID Access Identity Router running SLES12 SP5

Article Number

000039569

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
RSA Version/Condition: Identity Router running SLES12 SP5

Issue

The following issues are experienced on an identity router running SLES12 SP5: 
ERROR: (0) via: ERROR: Failed to get the handle.
ERROR: (0) via: ERROR: Rest authenticate call failed!

AND

The following message is seen in the identity router's symplified.log after publishing changes in the Cloud Administration Console with the identity router in debug mode:
  
[ServiceMonitor] DEBUG com.symplified.platform.linux.LinuxCmd[128] - Linux command returned response: LinuxCommandResponse [exitCode=0, output=Importing customer certs to NSS DB..
unable to load private key
140651206968976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
Task completed.
, error=null, timeout=false]

Cause

There is an incompatibility between the identity router and the encoding of the private key that is uploaded on the: Cloud Administration Console > My Account > Company Settings > Company Information page.

Resolution

Use an encoding conversion utility to convert the encoding of the private key to ASCII encoding. Upload the converted private key to the Company Information page and then save and publish the changes in the Cloud Administration Console.

Notes

To place the identity router in debug mode, see the following page: Set the Identity Router Logging Level.
The radius.log and symplified.log can be viewed by:
  1. Access the IDR through SSH (Access SSH for Identity Router Troubleshooting)
  2. Run the following command to generate a log bundle on the identity router: bundlelogs
  3. Copy the log bundle off of the identity router and then view the two log files:
    • /var/log/radius/radius.log
    • /var/log/symplified/symplified.log


The identity router has the "iconv" encoding conversion utility on it. To use this utility to convert the private key, the following can be done:
  1. Copy the private key to the IDR's /tmp directory.
  2. SSH to the IDR.
  3. Gain root access on the IDR. (For steps on how to do this, Contact RSA Support)
  4. Run the following command:
    • iconv -c -f UTF8 -t ASCII /tmp/<original_private.key> -o /tmp/<converted_private.key>
  5. Copy the converted private key off of the IDR and delete the private key files from the IDR's /tmp directory.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-14 10:27 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.