Error: "java.io.EOFException: Detect premature EOF" importing 3rd party certificate into iManager

  • 7012552
  • 05-Jun-2013
  • 05-Jun-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 Applied
NetIQ Access Manager 3.2 Administration Console
Generating CSR request for 3rd party certificate
When certs returned are in PEM format, no problems exist

Situation

Administrator created a new certificate Signing Request (CSR) using the Admin Console iManager interface. After the Administrator gets the certificate back from the 3rd party CA, along with the corresponding root and intermediate certificates, the import of the cert in iManager fails with the following messages being displayed in the browser and app_sc log file of the Admin Console:

java.security.cert.CertificateException: java.io.EOFException: Detect premature EOF at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:419) at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:427) at com.volera.roma.app.handler.CertHandler.doCertValidation(y:6118) at com.volera.roma.app.handler.CertHandler.doImportSignedCert(y:3565) at com.volera.roma.app.handler.CertHandler.processRequest(y:427) at com.volera.roma.servlet.GenericController.doPost(y:394) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at
:

and

SEVERE: Servlet.service() for servlet [adminController] in context with path [/roma] threw exception [javax.servlet.ServletException: java.lang.IllegalStateException: Cannot forward after response has been committed] with root cause java.lang.IllegalStateException: Cannot forward after response has been committed at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:339) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:329) at com.volera.roma.servlet.ServletUtils.forward(y:240) at com.volera.roma.app.handler.CertHandler.processRequest(y:718) at com.volera.roma.servlet.GenericController.doPost(y:394) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at
:

Importing the same certificate with an OES iManager (incl PKI snapins) works fine - issue only exists with NAM iManager.

Resolution

Modify the /opt/novell/nam/adminconsole/webapps/roma/WEB-INF/web.xml, and add the following before restart AC:

<env-entry>
   <env-entry-name>validateCertChain</env-entry-name>
   <env-entry-value>false</env-entry-value>
   <env-entry-type>java.lang.Boolean</env-entry-type>
</env-entry>

The fix will be included in NAM 3.2.2.

Cause

Certificate validation on root and intermediate certs were failing due to some invalid checks that were being performed.