Search code examples
pingfederate

NoSuchAlgorithmException when using migration tool

I am trying to use the migration tool utility from within PingFederate but I keep getting the following error:

List adapters... Downloading adapter index from source... ERROR: Unable to download from source. java.security.NoSuchAlgorithmException: E rror constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) Done.

From the configcopy.log:

Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation
Caused by: java.io.IOException: Invalid keystore format

Windows 7 Professional SP1

java version "1.8.0_144" Java(TM) SE Runtime Environment (build 1.8.0_144-b01) Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)

PingFederate: 8.4.2

I am attempting this because we want to automate a deployment process which has currently been manual. I am only trying to use the listadapters.conf template and have set the source.conf to output to a file. The command I am entering is:

configcopy.bat -Dconfigcopy.conf.file=configcopy_templates\\source.conf;configcopy_templates\
\listadapters.conf

and I am running this from the <PF_HOME>/bin directory. The contents of the two files I mentioned are:

source.conf

source.connection.management.service.url = <my local install url on port 9999>/pf-mgmt-ws/ws/ConnectionMigrationMgr

source.connection.management.service.user = Administrator

source.connection.management.service.password = OBF:JWE:eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoibGJhaGtDZlNiSiIsInZlcnNpb24iOiI4LjQuMi4wIn0..ryNLCcpzwEx6KGzXi1FboA.34NbypXUud45R77TLwMvjg.dQFNb9NpbDY_EWIePb9hMA

configcopy.connection.trust.keystore = C:\Program Files\Ping Identity\pingfederate-8.4.2\pingfederate\server\default\data\pf.jwk

output.file = c:\temp\pf-config.txt

The Administrator is the default one from install with all three roles added to it and the password was obfuscated using obfuscate.bat in the bin directory.

listadapters.conf

cmd=listadapters

debug=true

select.adapter.role = idp

Even though it doesn't look like it above all backslashes are escaped that just hasn't come through here.

I have tried:

  • removing the path to the keystore altogether

ERROR: Unable to download from source. sun.security.validator.ValidatorException : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Done.

  • Setting the path to cacerts in jre/lib (same error as above)

I have installed the data.zip from the DotNet-Integration-Kit-2-5-2.zip and that is the only set up on this PC. (my dev box)

The integration kit puts two certificates (maybe the same one twice, not sure) that can be viewed through

  • Server Configuration > Trusted CAs
  • Server Configuration > SSL Server Certificates

And I have also added one into

  • Server Configuration > SSL Client Keys & Certificates

Server Configuration >SSL Client Keys & Certificates

The kits certs show as RSA1024 and the one I created shows as RSA2048.

Questions:

  • Why does the error state algorithm:default (key store format?)
  • Is there a setting I am missing that would change it from default
  • Does anyone know of any docs other than the admin manual (almost know it by heart now)
  • Why is pf.jwk the wrong format

Any other ideas at all please.

[update] Dam, I have been trying to use the migration utility but as I am on a version over 7.2 I should be using the administrative API. Back to the drawing board. Still looking for advice though!

Solution

  • The pf.jwk file is an encrypted Java web key. The truststore is a standard jks file that you add PingFed's SSL key to, or its signing CA's public key.

    However, as you have found, you should use the admin API. Configcopy is no longer being developed.