Introduction

In a Linux deployment of Secure Client (SC), gnome-keyring and secret tools are used to manage the certificate keystore. This article is aimed to help in some cases where issues with the initialization of the certificate keystore and / or import and usage of the certificates. In this article OS command examples are taken from RHEL. Commands for other Linux distros (SUSE) may differ.

Example errors may include:

• Cannot load certificate from the selected file
• Cannot load Secure Client completely
• Secure Client starts with keystore or certificate errors in the log

Check the prerequisite packages

Ensure that glib2, gnome-keyring and secret-tool (libsecret) are installed and updated to the latest possible version. This can be done with yum:

yum list installed | grep gnome-keyring
yum list installed | grep glib2
yum list installed | grep libsecret

For SUSE12 the equivalent of glib2 is libglib-2_0-0.

Clear the current keyring files

Check ~/.local/share/keyrings under the non-root user who will run Secure Client and if the directory is not present - create it:

mkdir ~/.local/share/keyrings

If present, delete the login.keyring and user.keystore files, so that new ones can be created.

If this is a new Secure Client installation, which is not in production, or the configuration has been documented and backed up, remove everything from the ~/.axway/SecureClient/data folder except sclient.li file.

Verify that secret-tool is running properly

Use this command to create a test password entry in the secret-tool:

secret-tool store --label='My password' key1 value1 key2 value2

The GUI utility seahorse which shows the available keyrings can be used to open the keyring and verify the existence of the new keyring and password.

seahorse

If seahorse shows multiple keyrings, assuming only Secure Client is running on this OS, remove the unwanted keyrings, including the test keyring created in the previous step.

Verify keystore is running properly

First check if gnome-keyring-daemon is running, if it is - kill / terminate the process.

pgrep -f gnome-keyring-daemon

Go to the directory ~/.local/share/keyrings and run the below commands, where the user_password field should be the password of the non-root user:

service dbus start
eval "$(printf 'user_password' | gnome-keyring-daemon --unlock)"
eval "$(printf 'user_password' | /usr/bin/gnome-keyring-daemon --start)"

Start Secure Client

Start Secure Client and review if it is working as expected:

• Check the scheduler log for any errors
• Navigate to the Security → Ceritifcate page. Verify a certificate can be imported
• Test a connection to a site which requires a certificate for login

Secure Client keyring not being generated on start

If the keyring does not get generated automatically, it can be generated manually using these commands, before SC is launched:

export $(dbus-launch)
export $(gnome-keyring-daemon --start -components=pkcs11,secrets,ssh)

Then from SC's install directory, create the default keyring:

./jre/bin/java -cp ./lib/core.jar com.axway.sclient.securestorage.CredentialManagerDemo set -service sc
./jre/bin/java -cp ./lib/core.jar com.axway.sclient.securestorage.CredentialManagerDemo select-default -name sc

Launch Secure Client and verify if the certificate can be imported and used.