IBM Security Verify

 View Only
  • 1.  ISVA certificate handling fails with ISVA version 10.0.5

    Posted Fri April 21, 2023 10:54 AM

    Hi,

    We have upgraded our environments from ISVA 10.0.2 to 10.0.5 (10.0.2 -> 10.0.4 -> 10.0.5).

    We have a few questions related to the certificate databases.

    1. Are certificate labels unique across all certificate key databases?
    2. If not - why are we getting DPWAP0194E Failed to store the supplied certificate in the keyfile: pdsrv.p12 (0x2: GSKKM_ERR_ASN)

    We got the error when we tried to import a new signer certificate using LMI (also import with Ansible fails). We have defined an unique label to it.

    Best Regards,
    Jarno



    ------------------------------
    Jarno Hänninen
    ------------------------------


  • 2.  RE: ISVA certificate handling fails with ISVA version 10.0.5

    Posted Fri April 21, 2023 05:42 PM

    Jarno,

     

    In answer to your questions:

     

    1. No.  Each certificate database is treated separately.  You can have the same certificate label, and certificate, in different databases.
    2. It looks like there is an issue with the certificate itself and it is not supported within a PKCS-12 database.  I would suggest that you raise a ticket with the IBM support team to get them to take a closer look at why the certificate is not being accepted.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 3.  RE: ISVA certificate handling fails with ISVA version 10.0.5

    IBM Champion
    Posted Fri April 21, 2023 06:13 PM

    Hi Jarno, 

    There is a possibility of an old signer certificate with matching serial number present in the key database( Db importing new signer) under a different label. Try and filter(Based on Serial number) the Signer certs in the key database to see if there is any existing matching signer certificate.

    Also, just to isolate the issue, try and import the singer cert into a freshly created key database. 



    Regards,
    Rama



    ------------------------------
    Rama Yenumula
    ------------------------------



  • 4.  RE: ISVA certificate handling fails with ISVA version 10.0.5

    Posted Tue April 25, 2023 12:59 PM

    Thanks Scott,

    We raised a ticket to the system and meanwhile -- made some debugging. The certificate itself was ok, but the certificate database was corrupted. This relates somehow to the upgrade process. The workaround was to delete and re-create the pdsrv-kdb, and then import certificates back to the pdsrv-kdb. However, this was not working in certificate databases, such as rt_profile_keys or lmi_trust_store which were protected ("The default Runtime key database cannot be renamed or deleted.").

    Best Regards,
    Jarno



    ------------------------------
    Jarno Hänninen
    ------------------------------



  • 5.  RE: ISVA certificate handling fails with ISVA version 10.0.5

    IBM Champion
    Posted Mon April 24, 2023 08:33 AM

    Hi Jarno,

    I have run into similar "asn" issues today with a ISVA 10.0.5.
    The issues were related to making webseal sign a JWT ([jwt:/junction] stanza), and using the jwks local-app.

    Those issues were logging the following errors, and were breaking webseal's jwt injection and the jwks local-app : 

    DPWIV1219E   An SSL toolkit failure occurred while calling d2i_AutoPrivateKey.  Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag.



    We were able to fix those issues by removing special characters from the certificate label. And by special characters I mean "-" and "_", that do not seem so special.

    Once all our certificates were reimported into a trustore without any - and _ in their labels, webseal started behaving again as expected.


    No idea if this can help you, but you never know.

    Regards,
    André





    ------------------------------
    André Leruitte
    ------------------------------