Unable to import PKCS#12 certificates from Siteminder 12.8.07 admin ui
Article ID: 270773
Updated On:
Products
Issue/Introduction
Admin is unable to import PKCS#12 certificates from SiteMinder 12.8.07 admin ui.
The certificate has private key and is in a single PKCS #12 file format. There is no password for the cert/key pair.
When import into admin ui, it errors out
Error: Certificate importer failed attempting to process the selected file.
server.log in admin ui:
yyyy-mm-dd hh:mm:ss,937 [INFO] ims.ui.ConsolePageFilter [] - dispatch=<InstallDir>/ui7/index.jsp
yyyy-mm-dd hh:mm:ss,002 [ERROR] com.ca.federation.adminui.backingbean.keystore.KeyStoreImportBean [] - **ERROR** com.netegrity.smkeydatabase.db.SmCertificateDataStoreException during UI operation.
com.netegrity.smkeydatabase.db.SmCertificateDataStoreException: Error occurred while adding private key and certificate details to the Certificate Data Store. malformed sequence in RSA private key.
at com.netegrity.smkeydatabase.db.CertificateDataStoreImpl.addPrivateKeyToDB(CertificateDataStoreImpl.java:612) ~[smkeydatabase.jar:14.0]
at com.netegrity.smkeydatabase.db.SMKeyDatabase.addPrivateKeyToDB(SMKeyDatabase.java:446) ~[smkeydatabase.jar:14.0]
at com.ca.federation.adminui.backingbean.keystore.KeyStoreImportBean.finish(KeyStoreImportBean.java:310) ~[fedmgr.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_322]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_322]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_322]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_322]
at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132) ~[myfaces-impl-1.1.5.jar:1.1.5]
at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61) ~[myfaces-impl-1.1.5.jar:1.1.5]
at javax.faces.component.UICommand.broadcast(UICommand.java:109) ~[myfaces-api-1.1.5.jar:1.1.5]
at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97) ~[myfaces-api-1.1.5.jar:1.1.5]
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171) ~[myfaces-api-1.1.5.jar:1.1.5]
at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32) ~[myfaces-impl-1.1.5.jar:1.1.5]
at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95) ~[myfaces-impl-1.1.5.jar:1.1.5]
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70) ~[myfaces-impl-1.1.5.jar:1.1.5]
at com.netegrity.webapp.page.jsf.JSFParentPage.update(JSFParentPage.java:95) ~[user_console.jar:?]
at com.netegrity.webapp.page.TaskController.update(TaskController.java:639) ~[user_console.jar:?]
at com.netegrity.taglib.skin.TagUtilLocal.update(TagUtilLocal.java:274) ~[user_console.jar:?]
at com.netegrity.taglib.skin.UpdateTag.doEndTag(UpdateTag.java:146) ~[user_console.jar:?]
at org.apache.jsp.app.ui7.index_jsp._jspx_meth_skin_005fupdate_005f0(index_jsp.java:1758) ~[?:?]
at org.apache.jsp.app.ui7.index_jsp._jspService(index_jsp.java:231) ~[?:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) ~[jastow-2.0.9.Final.jar!/:2.0.9.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) ~[jboss-servlet-api_4.0_spec-2.0.0.Final.jar!/:2.0.0.Final]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433) ~[jastow-2.0.9.Final.jar!/:2.0.9.Final]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:403) ~[jastow-2.0.9.Final.jar!/:2.0.9.Final]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:347) ~[jastow-2.0.9.Final.jar!/:2.0.9.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) ~[jboss-servlet-api_4.0_spec-2.0.0.Final.jar!/:2.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:81) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32) ~[jastow-2.0.9.Final.jar!/:2.0.9.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:251) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:186) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl(RequestDispatcherImpl.java:227) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup(RequestDispatcherImpl.java:149) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.spec.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:111) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at com.netegrity.webapp.filter.ConsolePageFilter.doFilter(ConsolePageFilter.java:531) ~[user_console.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at com.netegrity.webapp.page.jsf.FacesFilter.doFilter2(FacesFilter.java:181) ~[user_console.jar:?]
at com.netegrity.webapp.page.jsf.FacesFilter.doFilter(FacesFilter.java:152) ~[user_console.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147) ~[tomahawk-1.1.5.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at com.netegrity.webapp.authentication.FrameworkLoginFilter.doFilter(FrameworkLoginFilter.java:409) ~[user_console.jar:?]
at com.ca.siteminder.webadmin.configuration.ui.servlet.SiteMinderLoginFilter.doFilter(SiteMinderLoginFilter.java:507) ~[webadmin-configuration.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at com.netegrity.webapp.filter.LocaleFilter.doFilter(LocaleFilter.java:101) ~[user_console.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at com.netegrity.webapp.filter.ClientExtractFilter.doFilter(ClientExtractFilter.java:52) ~[user_console.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.jsp.JspFileHandler.handleRequest(JspFileHandler.java:32) ~[jastow-2.0.9.Final.jar!/:2.0.9.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) ~[?:?]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) ~[?:?]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) ~[?:?]
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535) ~[?:?]
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535) ~[?:?]
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535) ~[?:?]
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535) ~[?:?]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) ~[undertow-servlet-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841) ~[undertow-core-2.2.8.Final.jar!/:2.2.8.Final]
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[?:?]
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) ~[?:?]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[?:?]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[?:?]
at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280) ~[?:?]
at java.lang.Thread.run(Thread.java:750) ~[?:1.8.0_322]
Caused by: com.ca.sso.smcert.SmCertLibException: malformed sequence in RSA private key
at com.ca.sso.smcert.bc.BCCertImpl.getPrivateKeyInstance(BCCertImpl.java:292) ~[smcert.jar:14.0]
at com.ca.sso.smcert.SMCertFactory.getPrivateKeyInstance(SMCertFactory.java:206) ~[smcert.jar:14.0]
at com.netegrity.smkeydatabase.db.CertificateDataStoreImpl.addPrivateKeyToDB(CertificateDataStoreImpl.java:586) ~[smkeydatabase.jar:14.0]
... 107 more
Caused by: com.ca.sso.smcert.SmCertLibException: malformed sequence in RSA private key
at com.ca.sso.smcert.bc.BCPrivateKey.<init>(BCPrivateKey.java:189) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCCertImpl.getPrivateKeyInstance(BCCertImpl.java:290) ~[smcert.jar:14.0]
at com.ca.sso.smcert.SMCertFactory.getPrivateKeyInstance(SMCertFactory.java:206) ~[smcert.jar:14.0]
at com.netegrity.smkeydatabase.db.CertificateDataStoreImpl.addPrivateKeyToDB(CertificateDataStoreImpl.java:586) ~[smkeydatabase.jar:14.0]
... 107 more
Caused by: org.bouncycastle.openssl.PEMException: malformed sequence in RSA private key
at org.bouncycastle.openssl.PEMParser$KeyPairParser.parseObject(Unknown Source) ~[bcpkix-fips-1.0.1.jar:?]
at org.bouncycastle.openssl.PEMParser.readObject(Unknown Source) ~[bcpkix-fips-1.0.1.jar:?]
at com.ca.sso.smcert.bc.BCUtilities.loadPKCS1KeyInDER(BCUtilities.java:359) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCUtilities.loadPrivateKey(BCUtilities.java:208) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCPrivateKey.<init>(BCPrivateKey.java:187) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCCertImpl.getPrivateKeyInstance(BCCertImpl.java:290) ~[smcert.jar:14.0]
at com.ca.sso.smcert.SMCertFactory.getPrivateKeyInstance(SMCertFactory.java:206) ~[smcert.jar:14.0]
at com.netegrity.smkeydatabase.db.CertificateDataStoreImpl.addPrivateKeyToDB(CertificateDataStoreImpl.java:586) ~[smkeydatabase.jar:14.0]
... 107 more
Caused by: org.bouncycastle.openssl.PEMException: malformed sequence in RSA private key
at org.bouncycastle.openssl.PEMParser$RSAKeyPairParser.parse(Unknown Source) ~[bcpkix-fips-1.0.1.jar:?]
at org.bouncycastle.openssl.PEMParser$KeyPairParser.parseObject(Unknown Source) ~[bcpkix-fips-1.0.1.jar:?]
at org.bouncycastle.openssl.PEMParser.readObject(Unknown Source) ~[bcpkix-fips-1.0.1.jar:?]
at com.ca.sso.smcert.bc.BCUtilities.loadPKCS1KeyInDER(BCUtilities.java:359) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCUtilities.loadPrivateKey(BCUtilities.java:208) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCPrivateKey.<init>(BCPrivateKey.java:187) ~[smcert.jar:14.0]
at com.ca.sso.smcert.bc.BCCertImpl.getPrivateKeyInstance(BCCertImpl.java:290) ~[smcert.jar:14.0]
at com.ca.sso.smcert.SMCertFactory.getPrivateKeyInstance(SMCertFactory.java:206) ~[smcert.jar:14.0]
at com.netegrity.smkeydatabase.db.CertificateDataStoreImpl.addPrivateKeyToDB(CertificateDataStoreImpl.java:586) ~[smkeydatabase.jar:14.0]
... 107 more
Environment
Release : 12.8.07
Cause
Defective admin UI if there is no password for the cert/key pair.
Resolution
Fix is provided from attached zip file, is developed on top of 12.8.7 GA version.
The fix contains a single jar file named fedmgr.jar.
The fix is to be deployed on Admin UI side.
- Stop admin ui if running
- Navigate to <..\adminui>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF\lib folder
- Take backup of fedmgr.jar to a safe location.
Note: do not rename old fedmgr.jar or leaving extension as .jar in the same location. Engineering recommends to take backup of fedmgr.jar to a safe location and replace it with fixed jar.
- Copy extracted fedmgr.jar to above location
- Start Admin ui.
Attachments
Feedback
