Identity router (IDR) becomes distressed after adding and publishing new wildcard certificate in RSA SecurID Access
3 years ago
Originally Published: 2020-01-14
Article Number
000042416
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
Issue
The following events take place:
  1. Follow the documentation on adding a wildcard certificate Cloud Authentication Service Certificates as a .pem certificate.
  2. Publish the changes to the Identity Router.
  3. The keystoreService is stopped, and changes are not published. The Identity Router then goes into a distressed state.

Errors reported in the Identity Router Logs, are as follows: 
2019-07-16/13:39:17.679/UTC [ServiceMonitor] WARN com.symplified.service.shared.manager.ServiceMonitor[174] - 
Failed to start keystoreService since Tue Jul 16 13:38:06 UTC 2019 (70 seconds), retrying...
com.symplified.service.shared.StateChangeException: Unable to start service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:64)
at com.symplified.service.shared.manager.ServiceMonitor.startServices(ServiceMonitor.java:119)
at com.symplified.service.shared.manager.ServiceMonitor.run(ServiceMonitor.java:45)
Caused by: com.symplified.service.shared.StateChangeException: Unable to load configuration for service: keystoreService
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:137)
at com.symplified.service.shared.AbstractStatefulService.start(AbstractStatefulService.java:59)
... 2 more
Caused by: java.security.cert.CertificateException: Could not generate certificate:
at com.rsa.cryptoj.c.oz.engineGenerateCertificates(Unknown Source)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
at com.symplified.adapter.api.util.EncryptionUtils.getCertsFromNonHexEncodedX509FileString(EncryptionUtils.java:234)
at com.symplified.service.appliance.keystore.KeystoreService.getCertificatesAndKeyFromCustomer(KeystoreService.java:211)
at com.symplified.service.appliance.keystore.KeystoreService.loadConfig(KeystoreService.java:76)
at com.symplified.service.shared.AbstractStatefulService.refresh(AbstractStatefulService.java:135)
Cause
This issue happens when the .pfx certificate is converted to a .pem certificate using the openssl command. The public certificate chain contains a section with the encrypted private key.

The .pem certificate contains a private key section, which begins with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, as shown here: 
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG
cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD
VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
...
bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF
BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh
z3P668YfhUbKdRF6S42Cg6zn
-----END PRIVATE KEY-----


 
Resolution
  1. Use openssl to convert the .pfx certificate to .pem without including the private key using the command shown here:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
  1. Extract the private key from a .pfx to a key file and remove the password from the extracted private key:
# openssl pkcs12 -in filename.pfx -nocerts -out server.key -nodes
  1. Import the certificate, private key, and chain in the Company Settings page in the Cloud Administration Console​​​​​​.
  2. Publish the changes.

 

 


 
Workaround
As a workaround,
  1. Manually remove the section for the encrypted private key using a text editor from the .pem files.
  2. Reapply the certificate on the cloud admin console.
  3. Publish the changes.

Related Articles

Trending Articles

Don't see what you're looking for?