After installing MFT Platform Server for UNIX 8.1.2 HF-001 an Invalid Directory error may occur when running transfers in FIPS mode

After installing MFT Platform Server for UNIX 8.1.2 HF-001 an Invalid Directory error may occur when running transfers in FIPS mode

book

Article ID: KB0137158

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Platform Server for UNIX 8.1.2

Description

Platform Server for UNIX 8.1.2 HF-001 includes the following fix:
 
PSU-1099
OpenSSL and OpenSSL FIPS are upgraded to version 3.
Note: For instructions on how to activate FIPS mode,
see FipsActivationInstructions.txt.
 
The following error message may be written after applying this fix and when running transfers in FIPS mode with OpenSSL 3.0.5 version.
00000001:error:05800071:x509 certificate routines:(unknown function):invalid directory:crypto/x509/by_dir.c:175
 
This error is related to the discrepancy between OpenSSL configuration file ($CFROOT/config/openssl.fips.cnf) and folders where actual TLS certificates are kept.
 
Note, the message says it is an error but it is really a warning and the transfer completes successfully. Here is an example of how the warning looks on Sun Sparc: 
 
cfsend ip:127.0.0.1 tport:58585 tls:t lf:/tmp/testabc.local rf:/tmp/testabc.remote
LocalTransactionNumber is IC05400064
MFT Platform Server: Transfer Mode Set To Send
00000001:error:05800071:x509 certificate routines:(unknown function):invalid directory:crypto/x509/by_dir.c:175:
RemoteTransactionNumber is RC05400065
File Transfer Complete
Transmitted 262400 bytes in 0 seconds
 

Issue/Introduction

After installing MFT Platform Server for UNIX 8.1.2 HF-001 an Invalid Directory error may occur when running transfers in FIPS mode.

Environment

All supported environments

Resolution

The actual folder structure on your machine is expected to match the  [ CA_default ] section from $CFROOT/config/openssl.fips.cnf file.
Below is an example of the [ CA_default ] section (with highlighted changes) and a folder structure which will eliminate this warning message. Note, demoCA is just an example name. The folder can be named anything as long as it matches in the configuration.
 
1) vi $CFROOT/config/openssl.fips.cnf
[ CA_default ]
#dir            = ./demoCA              # Where everything is kept
dir             = /demoCA               # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
#database       = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key

2) $CFROOT/config.txt
# SSL Communication Additional Parameters. 
PrivateKeyFileName:       /demoCA/private/cakey.pem
PrivateKeyPwdFileName:    /demoCA/private/privatekey.pwd
TrustedAuthorityFileName: /demoCA/cacert.pem
CertificateFileName:      /demoCA/certs/cert.pem
 
3) actual folders with the certificates
Powered by Wolken Software