000037195 - RSA Authentication Manager Operations Console fails to display virtual host certificates

Document created by RSA Customer Support Employee on Feb 19, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037195
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
IssueA backup was restored into an Authentication Manager primary instance from another Authentication Manager deployment and the Operations Console reports the following message when retrieving the virtual host certificates. 

Error retrieving Virtual Host Certificate list

:

User-added image
 

This same message is also seen when creating a web-tier package via the Operations Console.
CauseRestoring a backup into a new Authentication Manager primary instance has an impact on the virtual host certificate retrieval which is currently under investigation by RSA.
 
The virtual host certificates are stored in a Java KeyStore (JKS) file and this file is password protected. On the restored Authentication Manager primary instance the cached password for the JKS file does not match the password of the restored JKS file containing the virtual host certificates hence the error reported Error retrieving Virtual Host Certificate list.
 
WorkaroundAs a workaround you can follow these steps below to update the password of the restored JKS file to match the Authentication Manager primary instance cached password.
 
  1. If you have not done so already, enable Secure Shell access to the command line.
  2. Logon to the command line using the rsaadmin account credentials.

Note that during Quick Setup another user name may have been selected. Use that user name to login.  This password would have been entered by the installer of the Authentication Manager instance, so this password is not known by RSA Customer Support.



  1. At the command line navigate to the /opt/rsa/am/utils directory:

cd /opt/rsa/am/utils


  1. Obtain the signing keys (passwords) for the JKS file.  You will require the Operations Console username and password for this command.
 

rsaadmin@am84:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key


Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_inqqjwar
Command API Client User Password ......................: p8nlbxIVrc5xOqUNsWmBJPDQBtkT0k
SSL Server Identity Certificate Private Key Password ..: M8d8BgPMr7shYNramlONcfFaGZ6zhC
SSL Server Identity Certificate Keystore File Password : dtWbhw7nBN0ZcR6HALWaRU5qvwXjc0
Root Certificate Private Key Password .................: o4xiE057EwAUMyZaJ3Mcp1vdhOEpQB
Root Certificate Keystore File Password ...............: zF0aNSs7RNDT7U9kfZY7c0aTl6N5BH
 
The "listkeys" action displays the key names to use when setting the values.
rsaadmin@am84:/opt/rsa/am/utils>


Make a note of the SSL Server Identity Certificate Keystore File Password



  1. At the command line navigate to /opt/rsa/am/server/security:

cd /opt/rsa/am/server/security


  1. Make a copy of the vh-inactive.jks file

cp vh-inactive.jks vh-inactive.jks.BAK


  1. Check whether the SSL Server Identity Certificate Keystore File Password from the local Authentication Manager primary instance can access the JKS file:

/opt/rsa/am/appserver/jdk/jre/bin/keytool –list -keystore /opt/rsa/am/server/security/vh-inactive.jks



You will be prompted to enter a keystore password This is the SSL Server Identity Certificate Keystore File Password obtained in step 4. The SSL Server Identity Certificate Keystore File Password is expected to fail with the following message:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect


  1. Use the keytool command to change the password of the /opt/rsa/am/server/security/vh-inactive.jks file to match the local Authentication Manager primary instance SSL Server Identity Certificate Keystore File Password:

rsaadmin@am84:/opt/rsa/am/utils> /opt/rsa/am/appserver/jdk/jre/bin/keytool -storepasswd -storepass zF0aNSs7RghdHALW3b7aRU5qvwXjc0 -new dtWbhw7nBN0ZcR6HALWaRU5qvwXjc0 -keystore /opt/rsa/am/server/security/vh-inactive.jks


The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks  -destkeystore /opt/rsa/am/server/security/vh-inactive.jks -deststoretype pkcs12".


rsaadmin@am84:/opt/rsa/am/utils>


  1. Check the accessibility of the JKS file works with the local Authentication Manager primary instance SSL Server Identity Certificate Keystore File Password:

/opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks


Add the -v parameter for verbose output (e. g., /opt/rsa/am/appserver/jdk/jre/bin/keytool -list –v -keystore /opt/rsa/am/server/security/vh-inactive.jks):


The output without verbose will be as follows:



rsaadmin@am84:/opt/rsa/am/utils> /opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks


Enter keystore password: <enter keystore password>
Keystore type: JKS
Keystore provider: SUN
 
Your keystore contains 4 entries
 
virtualhost-signing-ca, Feb 1, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
virtualhost, Feb 1, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 61:85:0D:64:36:E0:85:EB:79:21:79:E9:AA:B8:9C:9D:5C:09:63:5A
rsa-am-ca, Feb 23, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): DA:B3:69:E4:64:CF:68:E9:AC:B7:1B:6D:91:75:E5:83:4B:A3:3C:78
virtualhost-id-key, Feb 23, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 34:FC:0F:5B:22:10:DD:F8:69:8A:43:C9:21:80:59:AA:38:BD:26:B8
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks  -destkeystore /opt/rsa/am/server/security/vh-inactive.jks -deststoretype pkcs12".
rsaadmin@am84:/opt/rsa/am/utils> 


  1. Check that you can access the virtual host certificate(s) from the Operation Console (Deployment Configuration > Certificates > Virtual Host Certificate Management). It would be expected that the virtual host certificate(s) are displayed.
  2. Disable Secure Shell access to the command line.

Attachments

    Outcomes