000034951 - Error "Could not generate DH keypair" between the RSA Token Server (RTS) and RSA Data Protection Manager

Document created by RSA Customer Support Employee on Mar 21, 2017Last modified by RSA Customer Support on Jan 20, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034951
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: RSA Token Server
RSA Version/Condition: 1.2.62
IssueThe RSA Token Server (RTS) is unable to connect to the RSA Data Protection Manager (DPM) Appliance. The error below is logged in RTS:

ERROR [kmc.audit] - 1.2.1.6 5.3: Error accessing key by key class name with parameter KeyClassName, javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair, res.cert.serial[0]=123456, res.cert.issuer[0]=CN=DPMClientCertificate
CauseThe RSA DPM 3.5.2.5 appliance now enforces a stronger TLS cipher and the JVM in which the DPM Client runs in RTS is not able to handle the cipher.
ResolutionTo resolve this issue,
  1. Log in as root on the DPM appliance
  2. Generate RFC 5114 Diffie-Hellman key parameters consisting of 1024 bit group with 160 bit subgroup by running the following:


openssl genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:1


  1. Append the output of the command above to the file /opt/certs/serverCertificate, so the file looks something like the following:


-----BEGIN CERTIFICATE-----
[...]
[...]
[...]
-----END CERTIFICATE-----
-----BEGIN X9.42 DH PARAMETERS-----
MIIBHwKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y
mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4
+qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV
w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0
sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR
jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QIVAPUYqoeBqN8nirpOfWS3y51J
RiNT
-----END X9.42 DH PARAMETERS-----


  1. Restart Apache:


service httpd restart

Attachments

    Outcomes