Unable to audit with Identity Apps - Error creating certificate

  • 7023507
  • 08-Nov-2018
  • 08-Nov-2018

Environment


Identity Manager 4.7 - Identity Applications

Situation

Identity Apps has been configured to audit using the Platform Agent, sending events to Sentinel. No events reach Sentinel. The following error message is displayed in nproduct.log:

Thu Nov 01 18:12:15 2018 [jlogevent]: Using primary Secure Log Server 192.168.1.1.
Thu Nov 01 18:12:15 2018 [jlogevent]: Error: com.novell.naudit.logevent.LogEventException: Error creating certificate:
Could not parse certificate: java.io.IOException: Incomplete data
        at com.novell.naudit.logevent.LogEvent.doLogOpen(LogEvent.java:287)
        at com.novell.naudit.logevent.LogEvent.logOpen(LogEvent.java:99)
        at com.novell.naudit.LogEvent.LogOpen(LogEvent.java:208)
....

Resolution

This error indicates that it's not possible to parse the certificate that the Identity Apps are using to connect with the Platform Agent. This certificate is stored in the ism-configuration.properties file in the key called com.sssw.fw.security.sigcert.naudit.cert.

In particular, the error will occur if this entry is missing the expected \n values (Carriage Return) after the message -----BEGIN CERTIFICATE----- and/or before the message -----END CERTIFICATE-----.

For example:
com.sssw.fw.security.sigcert.naudit.cert = -----BEGIN CERTIFICATE-----nMIICmTCCAYECBgFdFyx...
VzNfSgqro/6Wb5VhoC8n-----END CERTIFICATE-----

Has incorrect values, since the first character prior to the actual certificate and the last one after the certificate is just an "n" and not a "\n". 

Change it to:
com.sssw.fw.security.sigcert.naudit.cert = -----BEGIN CERTIFICATE-----\nMIICmTCCAYECBgFdFyx...
VzNfSgqro/6Wb5VhoC8\n-----END CERTIFICATE-----

And restart the Tomcat service to address the problem.

Additional Information

Here is a more complete stack trace (still not fully complete):
Mon Nov 05 11:16:26 2018 [jlogevent]: Error: com.novell.naudit.logevent.LogEventException: Error creating certificate:
Could not parse certificate: java.io.IOException: Incomplete data
        at com.novell.naudit.logevent.LogEvent.doLogOpen(LogEvent.java:287)
        at com.novell.naudit.logevent.LogEvent.logOpen(LogEvent.java:99)
        at com.novell.naudit.LogEvent.LogOpen(LogEvent.java:208)
        at com.netiq.logging.NauditAppenderSkeleton.start(NauditAppenderSkeleton.java:86)
        at com.netiq.idm.rest.admin.LoggingService.activateNauditAppender(LoggingService.java:1113)
        at com.netiq.idm.rest.admin.LoggingService.updateNAuditConfig(LoggingService.java:983)
        at com.netiq.idm.rest.admin.LoggingService.updateAuditConfiguration(LoggingService.java:931)
        at com.netiq.idm.rest.admin.LoggingService.updateAuditConfiguration(LoggingService.java:891)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
...
Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Incomplete data
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:110)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
        at com.novell.naudit.logevent.LogEvent.doLogOpen(LogEvent.java:265)
        ... 68 more
Caused by: java.io.IOException: Incomplete data
        at sun.security.provider.X509Factory.readOneBlock(X509Factory.java:586)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:96)
        ... 70 more

The references to "java.io.IOException: Incomplete data" give a hint that the problem can be related to incorrect headers or missing a CR character in the certificate definition.