Error opening key container NetIQ Security Manager: The handle is invalid. (NETIQKB72422)

  • 7772422
  • 25-Jun-2010
  • 30-Mar-2012

Environment

Security Manager 6.5

Situation

The Security Manager Install log indicates and error trying to open the key container.

When running the aspnet_iisreg utility, an error is reported: Failed to open certificate key, check the ACL on the RSA folder.

The Security Manager Install log will report an error: ERROR Communication.InstallCertificate: Failed to install the certificate: SelfSignedCertificate::Create: failed to create the self-signed certificate: 'Error opening key container 'NetIQ Security Manager': The handle is invalid.

Resolution

In order to update the certificate the Local Administrators Group, on the CC must have full control permissions to the following windows 2003 folders:

 

..\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 

..\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machine Keys

 

 

In order to update the certificate the Local Administrators Group, on the CC must have full control permissions to the following windows 2008 folders:

 

..\Progdata\ All Users\Application Data\Microsoft\Crypto\RSA 

..\Progdata\ All Users\Application Data\Microsoft\Crypto\RSA\Machine Keys

 

 

It might also be necessary to use a windows account that is a member of the local administrators on the local machine, to take ownership of the folders before modifying the permissions.

 

After changing the permissions, rerun the following command, from the Command Prompt interface (CMD):

 

<Path to .NET Framework install on local drive of the CC>\aspnet_regiis -pa "NetIQ Security Manager" "<Domain>\<Security Manager  Service Account>"

 

Cause

During the install process, the windows installer for Security Manager will attempt to install a self signing certificate in the local machine certificate store on the Central Computer.  This can occur, during an Uninstall and subsequent reinstall of the NetIQ Security Manager Central Computer software.

Additional Information

Formerly known as NETIQKB72422

The SM installer also requires that the Installing user and the Service account both are members of the Local Administrators group on the CC.

For more information on Certificates and their storage location, see the following MS Article:

http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx . 

For more regarding the ASPNET_IISREG utility and certificates,  see netiq NETIQKB42271, for information regarding the ASPNET_IISREG utility and certificates.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.