KeyUsage does not allow digital signatures error when using test connection with LDAPS from RSA Authentication Manager 8.x
Originally Published: 2020-05-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
KeyUsage does not allow digital signatures
Cause
2020-04-09 11:48:47,652, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (LDAPConnectionTesterImpl.java:231), trace.com.rsa.ims.ldapslotmgt.impl.LDAPConnectionTesterImpl, ERROR, 2k8r2-dc1.2k8r2-vcloud.local,,,,LDAP Server connection test failed
javax.naming.CommunicationException: 10.232.0.195:636 [Root exception is javax.net.ssl.SSLException: Certificate not verified.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
javax.naming.CommunicationException: 10.232.0.195:636 [Root exception is javax.net.ssl.SSLException: Certificate not verified.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:70)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:1)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aI.b(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.ap.c(Unknown Source)
at com.rsa.sslj.x.ap.a(Unknown Source)
at com.rsa.sslj.x.ap.j(Unknown Source)
at com.rsa.sslj.x.ap.i(Unknown Source)
at com.rsa.sslj.x.ap.h(Unknown Source)
at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:393)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
... 18 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:70)
at com.rsa.ims.common.ldap.GetLDAPConnectionTask.call(GetLDAPConnectionTask.java:1)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aI.b(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.ap.c(Unknown Source)
at com.rsa.sslj.x.ap.a(Unknown Source)
at com.rsa.sslj.x.ap.j(Unknown Source)
at com.rsa.sslj.x.ap.i(Unknown Source)
at com.rsa.sslj.x.ap.h(Unknown Source)
at com.rsa.sslj.x.aT.startHandshake(Unknown Source)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:393)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
... 18 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
at com.rsa.sslj.x.bh.a(Unknown Source)
... 28 more
Caused by: java.security.cert.CertificateException: KeyUsage does not allow digital signatures
Caused by: java.security.cert.CertificateException: KeyUsage does not allow digital signatures
at com.rsa.sslj.x.ck.checkServerTrusted(Unknown Source)
at com.rsa.sslj.x.aF.a(Unknown Source)
at com.rsa.sslj.x.aF.a(Unknown Source)
... 31 more
Resolution
- Review the certificate and under the Details tab, check the Key Usage attribute.
- The certificate should be generated to include Digital Signature which was missing in the LDAPS certificate.
- Reissue the certificate with Digital Certificate Signature included in the Key Usage field. It can now be imported into the RSA Authentication Manager Operations Console.
- LDAPS test connection over port 636 works as expected.
