Re: Infinity Cloud Rest API Container loop

JensBauernfeind · ‎2026-04-07

Hi,

Checkpoint R82 JHF Take 60

I had a little load on my management system and noticed one "node" process which seems to restart every second.
After a little research, I found out that this is coming from the "icra" podman container:
[Expert@name:0]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
...
6f7f6fed7a8d docker.io/library/infinity-cloud-rest-api:latest node server/serve... 2 hours ago Up Less than a second ago icra
...

podman logs icra:
8<---

Node.js v22.15.1
node:internal/tls/secure-context:290
context.loadPKCS12(toBuf(pfx), toBuf(passphrase));
^

Error: ee key too small
at configSecureContext (node:internal/tls/secure-context:290:15)
at Object.createSecureContext (node:_tls_common:113:3)
at Server.setSecureContext (node:_tls_wrap:1490:27)
at Server (node:_tls_wrap:1354:8)
at new Server (node:https:80:3)
at Object.createServer (node:https:135:10)
at 6997 (/usr/src/app/server/server.js:1:85855)
at e (/usr/src/app/server/server.js:1:96194)
at /usr/src/app/server/server.js:1:96234
at Object.<anonymous> (/usr/src/app/server/server.js:1:96242)

Node.js v22.15.1
node:internal/tls/secure-context:290
context.loadPKCS12(toBuf(pfx), toBuf(passphrase));
8<---

Looking further, the p12 file the service is using has a Key Size of only 1024.
I assume that the Node.js version does not accept such a small Key Size.

Although I am not using any infinity Services, how can I fix this behaviour (recreating a stronger certificate/p12 file which the node.js process is using?)
For now, I issued "podman stop icra", but this does not survive a reboot.

Best

Jens

PhoneBoy · ‎2026-04-08

I assume once a real connection to Infinity Portal occurs, this certificate will get replaced with a stronger one.
This SK suggests it may actually be related to Infinity Identity (though it does connect via Infinity Portal): https://support.checkpoint.com/results/sk/sk183186

CaseyB · ‎2026-04-08

I have an open TAC case on this issue now, I'll let you know when I have a permanent solution. We have also just stopped the docker image for the time being.

Did your CPU spike as crazy as mine from this?

JensBauernfeind · ‎2026-04-10

I had similar spikes as you. The last change was the installation of Check_Point_R82_JHF_T60_TIME_FIX_655_MAIN_Bundle_T2_FULL.tgz on 2nd of march. But the cpu usage went up on the 8th of march. Thanks for keeping me informed.

CaseyB · ‎2026-04-21

I received a hotfix today; however, it did not resolve the issue, waiting on next steps.

Bob_Zimmerman · ‎2026-04-08

I checked my managements (none of which talk to Infinity Cloud) and the instance is running on all of them (mostly R82 jumbo 60, one R82.10 jumbo 6).

Concurring, based on the message, the problem is likely the 1024-bit key. Which file is it?

JensBauernfeind · ‎2026-04-10

The file is /opt/CPInfinityCra/certificates/sic_local_cert.p12 on the mgmt's file system. You can find the password via "podman inspect icra" and looking for the value of the variable ICRA_SIC_LOCAL_CERTIFICATE_PASSCODE

Bob_Zimmerman · ‎2026-04-10

Confirmed, mine is 2048 bit RSA with a 1.2.840.113549.1.1.11 signature.

CaseyB

Still working with TAC on this, I've had a couple hotfixes, but no resolution yet.

FredE

Hi Mates,

The Infinity Cloud REST API Adapter Update 3 Take 42 solved the issue.
Refer to https://support.checkpoint.com/results/sk/sk183186

I can confirm that for all of our management servers.
I have used the following command to verify if the ICRA Adapter Update 3 Take 42 is installed.
cpinfo -y all | grep -iE 'icra|infinity'
Refer to the attached image.

There is also a similiar CheckMates thread:
https://community.checkpoint.com/t5/Firewall-and-Security-Management/root-filesystem-disk-space-and-...

Greets
Fred

CaseyB

I tested that hotfix in our environment back on 5/20 and unfortunately it did not resolve the issue for us, so it is only partially fixed.

Are you a member of CheckMates?

Infinity Cloud Rest API Container loop