NetWorker: PBE Parameter Parsing Error: Expecting the Object Identifier for AES Cipher

• NetWorker authentication service self-signed certificate was replaced with CA signed certificates.
  • NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Linux)
  • NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Windows)
• The NetWorker server services fail to start after replacing the certificates. The server daemon log reports the following error during service startup:
  • Linux: /nsr/logs/daemon.raw
  • Windows (Default): C:\Program Files\EMC NetWorker\nsr\logs\daemon.raw
  • NetWorker: How to use nsr_render_log to render .raw log files

notice authservice: Caused by: java.io.IOException: PBE parameter parsing error: expecting the object identifier for AES cipher

The process used to replace self-signed certificates with CA-signed certificates requires using Java keytool, and OpenSSLto generate Certificate Signing Request (CSR) and create PKCS12 (p12) files.

This issue arises due to incompatibility between encryption algorithms used in PKCS12 files and the Java keytool's ability to parse them, especially when different versions of OpenSSL and Java are involved.

Newer OpenSSL versions may default to AES encryption (example, AES-256-CBC) when creating .p12 files, securing private keys and certificates. This is more secure than older algorithms like 3DES.

Older versions of Java (8u291 and earlier) do not support AES encryption in PKCS12 files. They expect the encryption to use older algorithms like:

• PBEWithSHAAnd3KeyTripleDES
• PBEWithSHAAndRC2_40

So when the Java keytool tries to import a .p12 file encrypted with AES, it fails to parse the Password-Based Encryption (PBE) parameters, because it does not recognize the Object Identifier (OID) for AES.

This issue can also be observed if there are multiple instances of Java installed on the server. For example, NetWorker is configured to use NetWorker Runtime Environment (NRE) and is updated to the latest NRE version supported by the NetWorker version; however, the server also has an older version of Java Runtime Environment (JRE) installed. When the keytool command is used the older version was used, this caused a compatibility issue between the .p12 files and the certificate stores used by NetWorker.

1. It is highly recommended that NetWorker is configured to use NetWorker Runtime Environment (NRE). Ensure that NetWorker is configured to use NRE and that NRE is routinely updated to the latest version available supported by the NetWorker release:

• • NetWorker 19.12 and Prior: NRE 8.0.x
  • NetWorker 19.13 and Later: NRE 17.0.x
  • NetWorker Runtime Environment (NRE): Introduction and Installation 

2. When following the procedure to replace NetWorker self-signed certificates, either specify the full path to the NRE keytool, or use a variable to set the path in the command shell.

Linux: java_bin=/opt/nre/java/latest/bin
Windows: set java_bin="C:\Program Files\NRE\java\jre#.#.#_###\bin"

All subsequent keyool commands are then run by calling the variable:

Linux: $java_bin/keytool OPTIONS
Windows: %java_bin%\keytool OPTIONS

The complete process is documented in the following OS-specific articles:

• NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Linux)
• NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Windows)