Article Number
000038493
Applies To
RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Identity Router
Issue
- Attempting to publishing configuration changes will fail after uploading application portal SSL certificates to the Cloud Admin Console with the following error:
Unsuccessful publish to the identity routers, successful publish to the cloud authentication services
- The Identity Router Management Portal is no longer accessible.
Cause
This issue can be caused by importing a server public certificate or certificate chain file with an invalid format. In the logs you may see errors like what is shown below:
2020-02-18/15:41:58.359/UTC [PublishThread-348207] ERROR com.symplified.service.shared.manager.ServiceManagerImpl[296] - Reload of updateConfigService failed, reverting...
com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137)
at com.symplified.service.shared.manager.ServiceManagerImpl.refreshWithDependencies(ServiceManagerImpl.java:571)
at com.symplified.service.shared.manager.ServiceManagerImpl.reload(ServiceManagerImpl.java:293)
at com.symplified.service.shared.manager.ServiceManagerImpl.reload(ServiceManagerImpl.java:270)
at com.symplified.service.appliance.core.ApplianceServiceImpl$PushThread.run(ApplianceServiceImpl.java:833)
Caused by: java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.c.oz.engineGenerateCertificates(Unknown Source)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:241)
at com.symplified.service.appliance.keystore.KeystoreService.getCertificatesAndKeyFromCustomer(KeystoreService.java:281)
at com.symplified.service.appliance.keystore.KeystoreService.loadConfig(KeystoreService.java:84)
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:135)
... 4 more
2020-02-18/15:41:58.364/UTC [PublishThread-348207] INFO com.symplified.service.appliance.sts.SecurityTokenService[375] - Resuming securityTokenService...
2020-02-18/15:41:58.483/UTC [PublishThread-348207] ERROR com.symplified.service.appliance.core.ApplianceServiceImpl[869] - Publish failed
com.symplified.service.shared.manager.ServiceManagerException: Reload of updateConfigService failed, revert successful
at com.symplified.service.shared.manager.ServiceManagerImpl.reload(ServiceManagerImpl.java:310)
at com.symplified.service.shared.manager.ServiceManagerImpl.reload(ServiceManagerImpl.java:270)
at com.symplified.service.appliance.core.ApplianceServiceImpl$PushThread.run(ApplianceServiceImpl.java:833)
Caused by: com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137)
at com.symplified.service.shared.manager.ServiceManagerImpl.refreshWithDependencies(ServiceManagerImpl.java:571)
at com.symplified.service.shared.manager.ServiceManagerImpl.reload(ServiceManagerImpl.java:293)
... 2 more
Resolution
To resolve this issue, extract the private key, SSL certificate, and certificate chain in the correct format:
openssl pkcs12 -in Certificate.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > Private.key
openssl pkcs12 -in Certificate.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > SSL.cer
openssl pkcs12 -in Certificate.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > CAchain.cer
Import the extracted certificates from the commands above as described in Step 3 of
Configure Company Information and Certificates and publish the changes.
