Layer7 API Gateway: The given key (algorithm=RSA) is not valid for SHA512withECDSA

book

Article ID: 111567

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

When using the 'Encode JSON Web Token'  assertion and signing the JWT using the ECDSA algorithm you receive one of the following errors. This message will be present in the SSG logs.

The given key (algorithm=RSA) is not valid for SHA512withECDSA
The given key (algorithm=RSA) is not valid for SHA256withECDSA
The given key (algorithm=RSA) is not valid for SHA384withECDSA


 

Environment

Release:
Component: APIESM

Resolution

The issue occurs when trying to use an RSA private key to sign the JWT. When selecting a private key installed on the Gateway you will need to confirm you are using the correct key type.

In policy manager:

1) Open the Manage Private Keys dialog (Tasks -> Certificates, Keys and Secrets -> Manage Private Keys)
2) Look for the private key you are selecting to sign the JWT. Specifically take note of the 'Key Type' field.

If the key type is RSA xxxx bits, it cannot be used with the ECDSA algorithm. You will need to create a new private key opting for one of the Elliptic Curve algorithms.