How to recover from incorrectly uploading a DER encoded public SSL certificate to the SecurID Access Administration Console

3 years ago

Originally Published: 2017-01-19

Article Number

000040072

Applies To

RSA Product Set: SecurID Access

Issue

All certificates uploaded/published via the Securid Access Administration Console must be PEM encoded. Uploading binary DER encoded certificates via the My Account->Company Settings menu will cause an IDR to go into the "Distressed" state if restarted.

TBD: are there problems if IDR is not restarted? Do you have to reboot or restart services?

Cause

2017-01-13/20:48:32.921/UTC [ServiceMonitor] WARN  com.symplified.service.shared.manager.ServiceMonitor[178] - Failed to start keystoreService since Fri Jan 13 20:43:30 UTC 2017 (302 seconds), retrying..., cause: com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService [at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:72)], Caused by com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService [at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:228)], Caused by java.security.cert.CertificateException: java.io.IOException: Invalid BER/DER data (too huge?) [at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:337)], Caused by java.io.IOException: Invalid BER/DER data (too huge?) [at sun.security.provider.X509Factory.readBERInternal(X509Factory.java:690)]

Resolution

TBD: i got distressed by restarting services (but not the keyservice errors from case). Recovered by replacing PEM cert.

Case reported redeploying IDR. Is that really necessary? See if reboot makes any difference.

Don't see what you're looking for?

Related Articles

Trending Articles