AnsweredAssumed Answered

Securid SDK 8.2 Bad Certificate

Question asked by Rodrigo Herrera on Feb 2, 2018
Latest reply on Feb 6, 2018 by Rodrigo Herrera

Like • Show 0 Likes0
Comment • 5

Hi... we've SecurID 8.2 SP1 patch 7, SDK 8.2 SP1 for java, Tomcat 8, Java 1.8 an we did import Securid CA certificate into tomcat kestore and set the -Djavax.net.ssl.trustStore parameter. So, we try connect our API, but the system return:

javax.net.ssl.SSLException: Certificate not verified.

After debug catalina, the detailed error is:

Certificate validation failed with message: Parameters must be PKIXParameters or be CertPathWithOCSPParameters containing PKIXOParameters.

Can any some idea about them?

Thanks.

No one else has this question

Outcomes

4 Replies

Omar Allam Feb 5, 2018 11:34 AM
Mark Correct
Correct Answer
Hello Rodrigo,

Make sure that you imported the root certificate not the server certificate inside tomcat keystore (check below steps)
1. Launch Internet Explorer, and go to the following URL: https://server_name:7002. The Error 404 page appears.
2. Right click anywhere on the Error 404 page and select Properties.
3. In the Properties dialog box, click Certificates.
4. In the Certificate dialog box, select the Certification Path tab.
5. Click the top item in the certificate path.
6. Click View Certificate.
7. In the Certificate dialog box, click the Details tab.
8. Click Copy to File.
9. On the Certificate Export Wizard page, click Next.
10. On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
11. On the File to Export page, click Browse.
12. Browse to a location to store the root certificate, enter am_root.cer in the File name field, make sure that Save as type is DER Encoded Binary X.509(*.cer), and click Save.
13. On the File to Export page, click Next.
14. On the Completing the Certificate Export page, click Finish.
15. Click OK.
If you are using SSL EJB connection, make sure you use the below Java system properties in the Java command line:
-Dweblogic.security.SSL.trustedCAKeyStore=SDK_HOME/lib/java/trust.jks

For SSL SOAP Connection, please check below:
-Djavax.net.ssl.trustStore=SDK_HOME/lib/java/trust.jks

Thanks,
Best regards.
Omar Allam
Like • Show 1 Like1
Actions
- Rodrigo Herrera @ Omar Allam on Feb 5, 2018 11:12 AM
  Mark Correct
  Correct Answer
  Hi Omar...
  
  We did import the root certificate ( the debug show negotiation with them). And we change the java_opts to include -Djavax.net.ssl.trustStore (our app server is Tomcat).
  
  Any idea?
  
  Thanks.
  Like • Show 1 Like1
  Actions
  - Omar Allam @ Rodrigo Herrera on Feb 5, 2018 12:00 PM
    Mark Correct
    Correct Answer
    Hello Rodrigo,
    
    Run the below command from the location where you have the keystore to list the certificate and confirm that the certificate inside the keystore has the same fingerprint that on the AM root certificate.
    
    keytool -list -keystore <XXX>.jks
    
    Thanks,
    Best regards.
    Omar Allam
    Like • Show 1 Like1
    Actions
Piers Bowness Feb 6, 2018 10:57 AM
Mark Correct
Correct Answer
You might also run some tests starting the Tomcat server with "-Djavax.net.debug=all". Alternatively, you could limit the output by using "ssl:trustmanager" in place of "all".

Some other options are available in the JSSE Reference Guide - Debugging Utilities
Like • Show 1 Like1
Actions
- Rodrigo Herrera @ Piers Bowness on Feb 6, 2018 12:56 PM
  Mark Correct
  Correct Answer
  Hello Piers...
  
  I did it, and after reinstall java (no make changes into security
  providers) this work now.
  
  But the authentication API need changes into security providers.
  
  Looks like incompatibility beeteewn FIPS and not FIPS.
  
  Some one have this issue?
  
  Thanks.
  Attachments
  - RodrigoHerrera.gif71.1 KB
  Like • Show 0 Likes0
  Actions

Securid SDK 8.2 Bad Certificate

Outcomes

Attachments

Related Content

Recommended Content