How to recover from incorrectly uploading a DER encoded public SSL certificate to the SecurID Access Administration Console
2 years ago
Originally Published: 2017-01-19
Article Number
000040072
Applies To
RSA Product Set: SecurID Access
Issue
All certificates uploaded/published via the Securid Access Administration Console must be PEM encoded.  Uploading binary DER encoded certificates via the My Account->Company Settings menu will cause an IDR to go into the "Distressed" state if restarted.

TBD:  are there problems if IDR is not restarted?  Do you have to reboot or restart services?
Cause
  
2017-01-13/20:48:32.921/UTC [ServiceMonitor] WARN  com.symplified.service.shared.manager.ServiceMonitor[178] - Failed to start keystoreService since Fri Jan 13 20:43:30 UTC 2017 (302 seconds), retrying..., cause: com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService [at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:72)], Caused by com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService [at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:228)], Caused by java.security.cert.CertificateException: java.io.IOException: Invalid BER/DER data (too huge?) [at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:337)], Caused by java.io.IOException: Invalid BER/DER data (too huge?) [at sun.security.provider.X509Factory.readBERInternal(X509Factory.java:690)]
Resolution
TBD:  i got distressed by restarting services (but not the keyservice errors from case).  Recovered by replacing PEM cert.

Case reported redeploying IDR.  Is that really necessary?  See if reboot makes any difference.

Related Articles

Trending Articles

Don't see what you're looking for?