User Unable to Login or Add Collectors when FIPS is Enabled on ICDx
search cancel

User Unable to Login or Add Collectors when FIPS is Enabled on ICDx

book

Article ID: 381326

calendar_today

Updated On:

Products

Integrated Cyber Defense Exchange

Issue/Introduction


1. The Identity Service is throwing an error. 
   Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'tokenSupport': Invocation of init method failed; nested exception is          java.lang.IllegalStateException: Failed to load per-partition Certificates (KeyPair) at startup!

2. Creation of admin user failed, can verify the same by executing the below command:
    /opt/symantec/icdx/id_epmp_dx-<version>/idusers.sh list (This command should return empty response)
 
3. idusers.sh tool throw error while creating admin user
    sudo -E -u icdx /opt/symantec/icdx/id_epmp_dx-<version>/idusers.sh admin admin
 
    Exception in thread "main" java.lang.reflect.InvocationTargetException
     ---
    Caused by: java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA256 SecretKeyFactory not available
    at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122)

Resolution

1. Stop launcher_dx service If it's in running state : systemctl stop launcher_dx
 
2. Edit the java.security file
vi /etc/java/java-<version>/java-<version>/lib/security/java.security
Comment out security.useSystemPropertiesFile=true 
add security.disableSystemPropertiesFile=true
 
# Determines whether this properties file will be appended to
# using the system properties file stored at
# /etc/crypto-policies/back-ends/java.config
#
# security.useSystemPropertiesFile=true
security.disableSystemPropertiesFile=true

3. Edit the idusers.sh file (opt/symantec/icdx/id_epmp_dx-<version>/idusers.sh)

vi /opt/symantec/icdx/id_epmp_dx-<version>/idusers.sh
Add -Djava.security.disableSystemPropertiesFile=true

Ex:java -Djava.security.disableSystemPropertiesFile=true -Dlogback.configurationFile=logback-idusers.xml -Dloader.main=com.symantec.platform.identity.builtin.BuiltinMain -jar lib/id_epmp_i-1.4.79.jar "$@"

4. Create admin user by executing the following command :
sudo -E -u icdx /opt/symantec/icdx/id_epmp_dx-<version>/idusers.sh admin admin
*this example creates the user 'admin' with a password of 'admin' (create whatever you would like)

Ex:[root@localhost ~]#sudo -E -u icdx /opt/symantec/icdx/id_epmp_dx-1.6.128-45/idusers.sh admin admin
Created user admin

5. Start launcher_dx service: systemctl start launcher_dx
Verify Identity service logs, it should start without any error/exception
Ex:
2024-05-24 12:20:55,678 [main] INFOc.s.platform.identity.IdentityServiceMain - Identity Service startup completed; using local port 8035
2024-05-24 12:20:55,678 [main] INFOlifecycle - Identity Service startup completed; using local port 8035
2024-05-24 12:20:55,700 [main] INFOc.s.platform.identity.IdentityServiceMain - Started IdentityServiceMain in 12.132 seconds (JVM running for 13.99)

6. Reboot the vm

7.Login to the ICDx UI and confirm you can add collectors and forwarders.