Dear Members,

We are trying to do third party integration with RSA so that RSA tokens values should be passed to RSA server for two factor authentication. For that we have downloaded RSA authapi-8.5.jar, cryptoj-6.1.jar.

I am getting error "Could not generate DH keypair"for a HP Unix environment with JRE 1.6.0.07 version. We are trying to integrate with RSA authentication agent using authentication agent authapi-8.5 jar.

We are able to do handshake with RSA server but while trying to call authentication service it’s always throwing the error “Couldn’t generate DH key pair”. I have gone through various links on internet to fix this issue and have installed JCE with unlimited strength and have put latest local_policy.jar and US_export_policy.jar. but still I am facing the issue

FYR I am attaching my logs below from our API call log.

{updateServerAccessTime} serviceHostName = 172.xx.xx.xx, accessTime=1430642883818

[2015-05-03 12:48:03,818] DEBUG HTTP Handler 172.xx.xx.xx - initializeConnection: direct connection (no proxy): http://172.xx.xx.xx:5500/Services/MessageKeyService

[2015-05-03 12:48:03,820] DEBUG HTTP Handler 172.xx.XX.XXX - processRequest: MSGKEY response: <?xml version='1.0' encoding='UTF-8'?><key:KeyResponse xmlns:xenc10=“XML Encryption Syntax and Processing” xmlns:stat=“http://www.rsa.com/schemas/2008/05/CommonAPI/status” xmlns:key=“http://www.rsa.com/schemas/2008/05/CommonAPI/keys” xmlns:ds=“XML-Signature Syntax and Processing” InResponseTo=“c8a539d1705e581f” ID=“a9148641f099a820”><stat:Status Status=“IN_PROCESS”/><key:ResponseContext ID=“XXXXXXXXXXXXXd1YP3fLp0QxBLNqhXXXXXXnpvdYptbDRtV!1081713338!143064XXXXX”/></key:KeyResponse>

[2015-05-03 12:48:03,820] DEBUG HTTP Handler 172.xx.xx.xx - {updateServerResponseTime} serverLBInfoMap: Key Values: 172.xx.XX.XX

[2015-05-03 12:48:03,820] DEBUG HTTP Handler 172.xx.xx.xx - {updateServerResponseTime} serviceHostName = 172.xx.xx.xx, responseTime=2

[2015-05-03 12:48:03,820] DEBUG HTTP Handler 172.xx.xx.xx - server response: <?xml version='1.0' encoding='UTF-8'?><key:KeyResponse xmlns:xenc10=“XML Encryption Syntax and Processing” xmlns:stat=“http://www.rsa.com/schemas/2008/05/CommonAPI/status” xmlns:key=“http://www.rsa.com/schemas/2008/05/CommonAPI/keys” xmlns:ds=“XML-Signature Syntax and Processing” InResponseTo=“c8a539d1705e581f” ID=“a9148641f099a820”><stat:Status Status=“IN_PROCESS”/><key:ResponseContext ID=“XXXXQmTHvJJhL17d1YP3fLp0QxXXXXXXXJnpvdYptbDRtV!1081713338!1430XXX77053”/></key:KeyResponse>

[2015-05-03 12:48:03,822] DEBUG HTTP Handler 172.xx.xx.xx - server in-process:

[2015-05-03 12:48:03,822] DEBUG HTTP Handler 172.xx.xx.xx - performing client key exchange of 0 bytes

[2015-05-03 12:48:03,822] ERROR HTTP Handler 172.xx.xx.xx - Error in processing Authn request: Could not generate DH keypair

[2015-05-03 12:48:03,822] ERROR HTTP Handler 172.xx.xx.xx - Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: Could not generate DH keypair

Any pointers/help will be really appreciated.

This line:
[2015-05-03 12:48:03,822] DEBUG HTTP Handler 172.xx.xx.xx - performing client key exchange of 0 bytes
I assume this is critical. Have you configured your cert properly?

Also what is your IS version configured?

HTH,
RMG

Also, please share how did you generate the Key Pair, did you validate it?

Thanks,

Dear Tong Wang/ RMG,
IS version is 8.2.2.
Just to provide more insight what steps we have followed, we generate sdconf.rec file at RSA server and then put it to IS home (/softwaereag/IntegrationServer) which ultimately helps us to communicate with RSA server. We provide authentication agent details (in this case IS) in RSA server so that RSA server understands that call is coming from a known auth agent. Auth agent details consists of DNS name & IP of server (IS) and some basic details.
When first time IS communicates with RSA server utilizing sdconf.rec, RSA server creates a folder whose name matches with our IS server DNS name,which was provided during auth agent creation on RSA server. This folder contains root.cer,bootstrap.xml and config.xml file. This folder is being created at IS home. This means we are able to do proper handshake and key exchange with RSA server and same has been verified in logs as well.
Now when we try to call authentication API with the help from authagent-8.5.jar through IS we gets DH key pair issue but when we do the same thing by utilizing a standalone JVM it works fine. SAG support guided us to get SSL handshake log by tweaking JVM parameter and below are the comments from them
“The logs you sent seem to be what we are looking for – everything seem to work fine until your try to execute, meaning it’s a code issue. Handshake pass well, connections work and your start to execute, meaning everything up until this point does work. You can see in the logs that the all goes well until we see a stack trace showing where custom code fails:
HTTP Handler 172.16.60.128, fatal error: 80: problem unwrapping net record
java.lang.RuntimeException: Could not generate DH keypair
HTTP Handler 172.16.60.128, SEND TLSv1 ALERT: fatal, description = internal_error
HTTP Handler 172.16.60.128, WRITE: TLSv1 Alert, length = 2
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: Could not generate DH keypair”

Now I am unable to understand if we are performing similar steps using standalone JVM having same version as IS it’s working fine but when I am using IS it’s throwing me error. What I can guess from here is that I am missing some minute link. Do I need to import root certificate (root.cer) generated by RSA to cacerts or do I need to place it somewhere else. Being a novice in understanding SSL handshake I am unable to figure out what exactly I am missing here.

MRas173d can you please guide me more for generating/validating key air? I presume that it’s been done by IS and RSA server at configuration level as same steps when followed at standalone JVM works well.

Thanks,
Abhishek

Check this post:

WM’s cipher suite is different from that of a stand-alone JVM. Guess it’s the reason it works with stand-alone, but not WM.

Hi Abhishek,

Did you manage to get this working? I am working on a similar integration…Currently the initial handshake itself is not successful. I am not passing any arguments to the AuthSessionFactory.getInstance() method.

Error : ERROR HTTP Handler 127.0.0.1 - com.rsa.authagent.authapi.AuthAgentException: java.lang.NullPointerException

Below are the locations of the necessary config file ,

rsa_api.properties - \IntegrationServer\instances\default ( I have tried by keeping this file outside of ‘instance’ folder as well , but it does not work.

securid and sdconf.rec - C:\Windows\System32

Any pointers to fix this?

Regards,
Prashanth