Environment
Identity Manager 4.7 - Identity Applications
Situation
Identity Apps has been configured to audit using the Platform Agent, sending events to Sentinel. No events reach Sentinel. The following error message is displayed in nproduct.log:
Thu Nov 01 18:12:15 2018 [jlogevent]: Using primary Secure Log Server 192.168.1.1.
Thu Nov 01 18:12:15 2018 [jlogevent]: Error: com.novell.naudit.logevent.LogEventException: Error creating certificate:
Could not parse certificate: java.io.IOException: Incomplete data
at com.novell.naudit.logevent.LogEvent.doLogOpen(LogEvent.java:287)
at com.novell.naudit.logevent.LogEvent.logOpen(LogEvent.java:99)
at com.novell.naudit.LogEvent.LogOpen(LogEvent.java:208)
....
Resolution
This error indicates that it's not possible to parse the certificate that the Identity Apps are using to connect with the Platform Agent. This certificate is stored in the ism-configuration.properties file in the key called com.sssw.fw.security.sigcert.naudit.cert.
In particular, the error will occur if this entry is missing the expected \n values (Carriage Return) after the message -----BEGIN CERTIFICATE----- and/or before the message -----END CERTIFICATE-----.
For example:
com.sssw.fw.security.sigcert.naudit.cert = -----BEGIN CERTIFICATE-----nMIICmTCCAYECBgFdFyx...
VzNfSgqro/6Wb5VhoC8n-----END CERTIFICATE-----
VzNfSgqro/6Wb5VhoC8n-----END CERTIFICATE-----
Has incorrect values, since the first character prior to the actual certificate and the last one after the certificate is just an "n" and not a "\n".
Change it to:
com.sssw.fw.security.sigcert.naudit.cert = -----BEGIN CERTIFICATE-----\nMIICmTCCAYECBgFdFyx...
VzNfSgqro/6Wb5VhoC8\n-----END CERTIFICATE-----
VzNfSgqro/6Wb5VhoC8\n-----END CERTIFICATE-----
And restart the Tomcat service to address the problem.
Additional Information
Here is a more complete stack trace (still not fully complete):
Mon Nov 05 11:16:26 2018 [jlogevent]: Error: com.novell.naudit.logevent.LogEventException: Error creating certificate:
Could not parse certificate: java.io.IOException: Incomplete data
at com.novell.naudit.logevent.LogEvent.doLogOpen(LogEvent.java:287)
at com.novell.naudit.logevent.LogEvent.logOpen(LogEvent.java:99)
at com.novell.naudit.LogEvent.LogOpen(LogEvent.java:208)
at com.netiq.logging.NauditAppenderSkeleton.start(NauditAppenderSkeleton.java:86)
at com.netiq.idm.rest.admin.LoggingService.activateNauditAppender(LoggingService.java:1113)
at com.netiq.idm.rest.admin.LoggingService.updateNAuditConfig(LoggingService.java:983)
at com.netiq.idm.rest.admin.LoggingService.updateAuditConfiguration(LoggingService.java:931)
at com.netiq.idm.rest.admin.LoggingService.updateAuditConfiguration(LoggingService.java:891)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
...
Caused by: java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Incomplete data
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:110)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
at com.novell.naudit.logevent.LogEvent.doLogOpen(LogEvent.java:265)
... 68 more
Caused by: java.io.IOException: Incomplete data
at sun.security.provider.X509Factory.readOneBlock(X509Factory.java:586)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:96)
... 70 more
The references to "java.io.IOException: Incomplete data" give a hint that the problem can be related to incorrect headers or missing a CR character in the certificate definition.