Knowledge Doc: [ESM] Exception is thrown while running managercommand tempCA in fips 140 mode

0 Likes

Summary
Temp CA is not supported for FIPS mode - so this is not a loss of functionality though the error looks ugly

Products
ArcSight Enterprise Security Manager (ESM)

Environment
ESM 7.x

Situation
When run tempca ArcSight command in FIPS mode, the following messages are shown.


$ ./arcsight tempca -i
Assuming ARCSIGHT_HOME: /opt/arcsight/manager
Assuming JAVA_HOME: /opt/arcsight/manager/jre
ArcSight TempCA starting...
java.io.IOException: DER length more than 4 bytes: 109
at org.bouncycastle.asn1.ASN1InputStream.readLength(Unknown Source)
at org.bouncycastle.asn1.ASN1InputStream.readLength(Unknown Source)
at org.bouncycastle.asn1.ASN1InputStream.readObject(Unknown Source)
at org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1445)
at com.arcsight.crypto.SSLKeystore.ensureLoaded(SSLKeystore.java:127)
at com.arcsight.crypto.SSLCAKeystore.getCertificate(SSLCAKeystore.java:72)
at com.arcsight.crypto.SSLTruststore.describeConfig(SSLTruststore.java:254)
at com.arcsight.crypto.TemporaryRootCertificateAuthority.printSSLSetupInformation(TemporaryRootCertificateAuthority.java:326)
at com.arcsight.crypto.TemporaryRootCertificateAuthority.main(TemporaryRootCertificateAuthority.java:579)

Cause
The command was trying to access the keystore for the demo cert (keystore.tempca). Demo cert is never used for FIPS mode and thus that keystore is never configured for FIPS. Made changes to exclude looking at that keystore in FIPS mode.

Resolution
Besides temp CA is not supported for FIPS mode - so this is not a loss of functionality though the error looks ugly.


Knowledge Base Article Link


URL Name
KM000011961

Labels:

Support Tips/Knowledge Docs
Related
Recommended