Configuring SSO keystore passwords and encryption - Issues & Workarounds

We ran into a couple problems with Inventory & Compliance when following the directions given on the Configuring SSO keystore passwords and encryption page.

Problem 1

We could not get Step 2a to work. The directions assume we know what the key password is, but we don’t. We only know the password to the keystore itself. We worked around this by proceeding to the next step, 2b.

Problem 2

Step 3 results in the following error:

C:\Users\BFIAdmin>"D:\Program Files\ibm\BFI\wlp\bin\securityUtility.bat" encode     --encoding=aes
The system cannot find the path specified.
"D:\Program Files\ibm\BFI\jre\jre\bin\\bin\java"

The will only work if the Command Prompt has a JAVA_HOME variable set. In our case and the case of others, it’s not set at the system level. One way to get around this is to just set it for the session from the command prompt. Assuming BFi is installed on the D: drive, this is the command that should be run first:

set JAVA_HOME="D:\Program Files\ibm\BFI\jre\jre\"

After doing so, Step 3 can then be completed as expected.

Problem 3

After Step 7, we could no longer access the server. It would only give HTTP Error 403 Forbidden responses.

First, we checked the tema.log file, which had lines like this inside:

[3/16/20 18:27:16:810 UTC] 0000002a com.ibm.ws.ssl.config.WSKeyStore                             E CWPKI0812E: Error while trying to get the [samlsp] key from the [SPKeyStore] keystore. Check to make sure the entry is a key and the key password is correct. Exception returned is: [Given final block not properly padded].
[3/16/20 18:27:16:857 UTC] 0000002a com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "java.security.KeyStoreException: Unexpected error while loading the requested private key for alias [samlsp] from keystore: SPKeyStore com.ibm.ws.security.saml.sso20.internal.utils.RequestUtil 224" at ffdc_20.03.16_18.27.16.0.log

At first, we thought there could be a problem with the password, but this turned out not to be the case after we verified the password worked with ikeyman.exe. Opening up ikeyman.exe did however lead us to the correct path: We discovered via the ikeyman.exe there were now 2 Personal Certificates entries in SPKeyStore with the same alias: samlsp Both were displayed in red text.

This may be the result of how we worked around Problem 1, but it appears at Step 2b, the keytool program created a duplicate entry for the key found in SPKeyStore.jceks. The red text indicates to me that duplicate entry seems like an invalid format for a JCEKS file, so that seemed to explain why Inventory/Compliance reported the error in tema.log.

We worked around this problem by deleting the samlsp certificates from the SPKeyStore Personal Certificates (deleting one deletes both automatically) and then re-importing our PFX/P12 certificates as a PKCS12S2 file in ikeyman.exe.

2 Likes