This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JensBauernfeind
Explorer
Tuesday

Infinity Cloud Rest API Container loop

Hi,

Checkpoint R82 JHF Take 60

I had a little load on my management system and noticed one "node" process which seems to restart every second.
After a little research, I found out that this is coming from the "icra" podman container:
[Expert@name:0]# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
...
6f7f6fed7a8d docker.io/library/infinity-cloud-rest-api:latest node server/serve... 2 hours ago Up Less than a second ago icra
...

podman logs icra:
8<---

Node.js v22.15.1
node:internal/tls/secure-context:290
context.loadPKCS12(toBuf(pfx), toBuf(passphrase));
^

Error: ee key too small
at configSecureContext (node:internal/tls/secure-context:290:15)
at Object.createSecureContext (node:_tls_common:113:3)
at Server.setSecureContext (node:_tls_wrap:1490:27)
at Server (node:_tls_wrap:1354:8)
at new Server (node:https:80:3)
at Object.createServer (node:https:135:10)
at 6997 (/usr/src/app/server/server.js:1:85855)
at e (/usr/src/app/server/server.js:1:96194)
at /usr/src/app/server/server.js:1:96234
at Object.<anonymous> (/usr/src/app/server/server.js:1:96242)

Node.js v22.15.1
node:internal/tls/secure-context:290
context.loadPKCS12(toBuf(pfx), toBuf(passphrase));
8<---

Looking further, the p12 file the service is using has a Key Size of only 1024.
I assume that the Node.js version does not accept such a small Key Size.

Although I am not using any infinity Services, how can I fix this behaviour (recreating a stronger certificate/p12 file which the node.js process is using?)
For now, I issued "podman stop icra", but this does not survive a reboot.

Best

Jens

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
Wednesday

I assume once a real connection to Infinity Portal occurs, this certificate will get replaced with a stronger one.
This SK suggests it may actually be related to Infinity Identity (though it does connect via Infinity Portal): https://support.checkpoint.com/results/sk/sk183186 

0 Kudos
CaseyB
Advisor
Wednesday

I have an open TAC case on this issue now, I'll let you know when I have a permanent solution. We have also just stopped the docker image for the time being.

Did your CPU spike as crazy as mine from this?

cpu-spike.png

0 Kudos
JensBauernfeind
Explorer
yesterday
In response to CaseyB

I had similar spikes as you. The last change was the installation of Check_Point_R82_JHF_T60_TIME_FIX_655_MAIN_Bundle_T2_FULL.tgz on 2nd of march. But the cpu usage went up on the 8th of march. Thanks for keeping me informed.Capture.PNG

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
Wednesday

I checked my managements (none of which talk to Infinity Cloud) and the instance is running on all of them (mostly R82 jumbo 60, one R82.10 jumbo 6).

Concurring, based on the message, the problem is likely the 1024-bit key. Which file is it?

0 Kudos
JensBauernfeind
Explorer
yesterday
In response to Bob_Zimmerman

The file is /opt/CPInfinityCra/certificates/sic_local_cert.p12 on the mgmt's file system. You can find the password via "podman inspect icra" and looking for the value of the variable ICRA_SIC_LOCAL_CERTIFICATE_PASSCODE

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
yesterday
In response to JensBauernfeind

Confirmed, mine is 2048 bit RSA with a 1.2.840.113549.1.1.11 signature.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events