12.8sp4 admin ui can not properly display all certificates, getting error "System exception trying to load keystore entries. Unable to parse public key: corrupted stream detected".
The certificates listed by Admin ui is significantly less than the number listed by smkeytool. Without all the certificates displayed, administrator's job is impacted.
|System exception trying to load keystore entries. Unable to parse public key: corrupted stream detected|
Release : 12.8
Component : SITEMINDER -POLICY SERVER
Customer routinely uses smkeytool to update CDS.
Whenever new cert is loaded by smkeytool, admin ui must reload that data from CDS store again in order to display it.
The error occurs at admin ui component, where UI can not properly interpret the CDS data it obtained.
smkeytool -listcerts and XPSExplorer both return normal data and correct number of certificates.
There may be an offending certificate in CDS that admin ui does not like.
The way to identify the offending certificate in CDS is divide-and-conquer.
First get a bulk export of CDS by running "smkeytool.sh -exportAll -outfile xml_file_path -password password".
You can pick a subset batch of certs, import the subset into a fresh policy server.
Check admin ui, confirming the number displayed matches with the number of certificate imported by smkeytool.sh
If it matches, it means the offending certificate is not within the imported subset, then you may delete all the certificates from admin ui.
Using smkeytool.sh -listcerts, to confirm the cert number is reduced to zero.
Now load the next batch, rinse and repeat, until you find the number mismatch, and until zero in on the particular bad cert object.
Once bad cert object is identified, delete the cert alias from smkeytool.sh command line, admin ui will recover and work again.
If necessary, customer can request Broadcom engineering for a fix. Broadcom engineering can provide replacement fedmgr.jar,
which will bypass any bad cert in the list and continue to process the remaining certs and gets displayed in UI.
What really helps is that if admin ui is able to display the offending certificate alias name or XID. Then we won't need all the troubleshooting process.