KB 110088 - Vasco

hungryhorsecabinΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 3 χρόνια και 3 μήνες)

480 εμφανίσεις




Applies to:IDENTIKEY Server
KB 110088 – 29/03/2011 14:14
© 2011 VASCO Data Security. All rights reserved.
Page 1 of 2


KB 110088

SSL Error after installing SSL certificates in
IDENTIKEY Server.
Creation date: 28/03/2011 Last Review: 29/03/2011 Revision number: 2
Document type: Known-Issue Security status: EXTERNAL


Summary

After installing the SSL certificates the wizard terminates successfully but it is not
possible to connect to the SOAP port after restart of the IDENTIKEY Server.
The audit file shows the following error message: 'An error occurred while
attempting to initialize the SSL SOAP server context. The SOAP error code
was 25. The error message was: A SOAP protocol error 25 has occurred.
Error message is "SSL error". Details "Can't read key file". ()'}}

Details

After installing the SSL certificate (both private key and server certificate) the wizard
terminates and the IDENTIKEY restarts normally.
Once the certificates are installed it is necessary to redeploy the Web Administration.
This fails with the message ‘An error occurred: Unable to connect to the specified URL
https://192.168.1.102:8888
. Failed to create a server entry.
When examining the IDENTIKEY server it shows that the SOAP port (8888) is not in
use.
When the trace file is examined it shows an error message in the startup of the
IDENTIKEY Server service:
[2011/03/28|15:12:58][47181219624384][INFO ][adt_record] > Audit: {Error} {Communication} {E‐000001} {A system error has occurred.} 
{0xCF341DB4EE4ECE6ECE6D8EF8FADE8342} 
[2011/03/28|15:12:58][47181219624384][INFO ][adt_record] > Audit: {Area:SOAP Communicator, Operation:Bind to S OAP port., Error Code:‐650, Error Message:An error 
occurred while attempting to initialize the SSL SOAP server context. The SOAP error code was 25. The error message was: A SOAP protocol error 25 has occurred. Error message is 
"SSL error". Details "Can't read key file"., Error Details: {Error Code: '(‐650)' ; Error Message: 'An error occurred while attempting to initialize the SSL SOAP server context. The SOAP 
error code was 25. The error message was: A SOAP protocol error 25 has occurred. Error message is "SSL error". Details "Can't read key file". ()'}} 
[2011/03/28|15:12:58][47181219624384][MAJOR][SoapFrontEndHandler::setup] > Exception occurred while attempting to to bind to SOAP port. Exception: N5vasco9ExceptionE: 
Error ‐650 in function "SOAPServer::bindSOAPSocket": An error occurred while attempting to initialize the SSL SOAP server context. The SOAP error code was 25. The error message 
was: A SOAP protocol error 25 has occurred. Error message is "SSL error". Details "Can't read key file". 
This issue is caused by a mismatch between the private key file and the server
certificate file. The specified private key file was not used to generate the specified
server certificate or vice versa.
This can be verified by comparing the modulus of the private key and the server
certificate.
Because the modulus is quite long, it is easier to compare the MD5 checksum of the
moduluses.
The following openssl commands can be used:



Applies to:IDENTIKEY Server
KB 110088 – 29/03/2011 14:14
© 2011 VASCO Data Security. All rights reserved.
Page 2 of 2


• To verify the private key:
openssl rsa -inform PEM -in private_key.pem -modulus -noout
After specifying the passphrase of the private key the modulus will be shown
• To verify the server certificate:
openssl x509 -inform PEM -in cert.pem -modulus –noout
• To generate the MD5 checksum of a modulus:
Openssl MD5
Examples:
• Generate the modulus of the private key.
C:\>openssl.exe rsa -inform PEM -in correct_encrypt.pem -modulus –noout
Enter pass phrase for correct_encrypt.pem:
Modulus=A9FC177A413C292806DE76ADEA25516B201D2F5F4F870E06AEB85C9CF45326B453D007473
3276096B413D53FC6FAF2FDF7EA22C65303248F37744F2C91B1AB3CAC0BF311FD5CC8AFBB65B878FD
9E9901A37B1E583083066826017062FD0446A3316377F2C7CCDD6C8468646A03F2D20ED66D3758543
69DC9F0B22D050E4FC41122964124C7014D84A4A3388616960E26541FDF4D834DE2BFA354B3E7FA67
A1476D05E28086B1A0D105619BA8D67C43FF7195F331CB84F3E4DCCF33D7A7CF540F525E39DC24A84
884E95D340F2A2B53163E325B7EABEB88F2DCB09875C0DBE961A2C285FF28FDBF4B4CF3CB62079BFA
9E63F5EC0A8B7A7C85366A3BD494A533C1

• Generate the MD5 checksum of the modulus of the private key.
C:\>openssl.exe rsa -inform PEM -in correct_encrypt.pem -modulus -noout |openssl md5
Enter pass phrase for correct_encrypt.pem:
c9d256bc09000197398e91735823d773
• Generate the MD5 checksum of the modulus of the server certificate.
C:\>openssl x509 -inform PEM -in ik_cert.pem -modulus -noout | openssl md5
c9d256bc09000197398e91735823d773
The modulus (or the MD5 checksum of the modulus) for both the private key and the
certificate should be the same.
If the results are different a new server certificate will have to be generated.