000037985 - RSA Archer how to replace the Advanced Workflow SSL Certificate

Document created by RSA Customer Support Employee on Oct 28, 2019Last modified by RSA Customer Support Employee on Oct 28, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000037985
Applies ToRSA Product Set: RSA Archer Suite
RSA Product/Service Type: RSA Archer (On-Premise)/ RSA Archer (SaaS)/ SSL Certificate/Advanced Workflow Certificate
RSA Version/Condition: 6.2 P4 or later
Platform
: Windows Server 2012 R2/ Windows Server 2016.
IssueThe purpose of this article is to explain how to replace/change the Advanced Workflow SSL Certificate.
Two methods will be explored in this article:
  1. Replacing the Advanced Workflow SSL Certificate using the Archer Installer.
  2. Replacing the Advanced Workflow SSL Certificate using Windows PowerShell.

Situations, where you may need to replace the Advanced Workflow SSL Certificate, include:
  • The Advanced Workflow SSL Certificate has expired.
  • Your organizations' security policy mandates that certificates such as the Advanced Workflow SSL Certificate be re-issued once a year.
  • Compromise of the Advanced Workflow SSL Certificate.
Resolution

Preparation for Replacement




  1. Stop ALL RSA Archer Jobs



    • This task stops the processing of new jobs while allowing currently running jobs to process. Jobs in progress and their associated child jobs can finish processing
    • Navigate to Plugins menu > Job Engine Manager
    • Go to the Servers tab.
    • Click Discontinue Job Processing.
    • In the Actions pane click Save.
 


  1. Stop all RSA Archer services (with the exception of the 'RSA Archer Configuration' service) on each Web Server and Services ServerUser-added image



This process ensures that all RSA Archer services are stopped while the RSA Archer Configuration service continues to run.


  • Run Windows Services as Administrator.
  • Scroll until the RSA Services appear.
  • Right click each RSA Service [Job Engine, Queuing, LDAP Synchronization, Indexing, Workflow, Cache] and stop each service with the exception of the 'RSA Configuration' Service.

User-added image
 


Note:


  • Before stopping the Job Engine service, check for the running job "ArcherTech.JobFramework.Job.exe" under the "Details" tab under the Task Manager. If there is a job running, the 'Job Engine' service will fail to stop.

User-added image


  •   You will either have to wait for these jobs to be completed or you may kill the jobs [right click the job and select 'End task'] in order to stop the 'Job Engine' service.

User-added image



  1. Shut down RSA Archer [stop IIS service]



This process prevents access to the RSA Archer website while replacing the Advanced Workflow.


  • Open a Command Prompt and run it as Administrator
  • Enter the following command and press enter:



iisreset /STOP



 



Listing SSL Certificates in-use



To list SSL Certificates in use, with their bindings use the following Windows command (screenshot shows being run in PowerShell but not mandatory. This assumes same prompt is later used to change the certificates using Method 2):



  • Open a Command Prompt
  • Enter the following command and press enter:


netsh http show sslcert

 

User-added image




To display the specific SSL Certificate which has a binding to port 8443



  • Open a Command Prompt
  • Enter the following command and press enter:


netsh http show sslcert 0.0.0.0:8443



  • Note down the Application ID if using Method 2

User-added image


 

Notes:


  • Certhash is the thumbprint of the certificate (found on the properties of the certificate)
  • Application ID is the GUID of the owning application

Remove the binding of the SSL certificate with port 8443



  • CAUTION: Ensure you have recorded the Application ID PRIOR to removing the binding. Please refer to Listing SSL Certificates in-use.
  • Open a Command Prompt and run it as Administrator
  • Enter the following command and press enter:


netsh http delete sslcert 0.0.0.0:8443


User-added image


  • Verify that the binding has been removed
    • Open a Command Prompt
    • Enter the following command and press enter:


netsh http show sslcert 0.0.0.0:8443


User-added image



Method 1: Replacing the Advanced Workflow SSL Certificate using the Archer Installer



Summary: Run the Archer Installer and select the new SSL certificate for the Advanced Workflow 




  1. A Certificate Services Administrator needs to create a new dedicated SSL certificate for the Advanced Workflow service and the new SSL certificate needs to be placed in the Personal folder under the Certificate Store [using the Microsoft MMC Console].



    • Notes:
       
      • Please do not use the SSL HTTPS Certificate or RSA Archer Configuration Certificate with the Advanced Workflow certificate.
      • Advanced Workflow requires a dedicated SSL certificate. Please refer to the RSA Archer 6.6 Platform Installation and Upgrade Guide on page 46 htttps://community.rsa.com/docs/DOC-103213
      • The SSL certificate has to be issued to the fully qualified domain name of the host where the Advanced Workflow Service is installed. If there are multiple Advanced Workflow Service hosts, Hostname is the DNS name for the Load Balancer and the port number refers to the port for which you have configured the Load Balancer.
       
  2. Run the Archer Installer on each Web Server and reinstall Only the 'Services' and the 'Advanced Workflow Service' components.

User-added image


 


  1. You will need to select the new SSL certificate for the Advanced Workflow and complete the installation


User-added image


 



  1. Verify and make sure the new SSL certificate is binding to port 8443

  • Open a Command Prompt
  • Enter the following command and press enter:


netsh http show sslcert 0.0.0.0:8443


User-added image

 

  1. Start RSA Archer Jobs

  • Navigate to Plugins menu > Job Engine Manager
  • Go to the Servers tab.
  • De-select Discontinue Job Processing.
    • In the Actions pane click Save
 

  1. Start the RSA Archer services on each Web Server and Services Server

  • Run Windows Services as Administrator.
  • Scroll until the RSA Services appear.
  • Right-click each RSA Service [Job Engine, Queuing, LDAP Synchronization, Indexing] and start each service except the RSA Configuration Service.
 


  1. The RSA Archer [start IIS service]




  • Open a Command Prompt
  • Enter the following command and press enter:




iisreset /START



 


 

Method 2: Replacing the Advanced Workflow SSL Certificate using Windows PowerShell


Assuming that you have recorded the Application ID from the old certificate above and the old Advanced Workflow Certificate binding has been removed using steps above.
 
  1. Obtain the Thumbprint of the new SSL certificate

  • You can use the following PowerShell command to retrieve all of the SSL certificate thumbprints and their expiration dates on an individual server that has IIS installed


Get-ChildItem Cert:\LocalMachine\my | Select-Object Subject,FriendlyName,Thumbprint,Issuer,PublicKey,SignatureAlgorithm,NotAfter


User-added image

 

  • Notes
    • The Thumbprint is in the above command is the Certificate Hash under the Server Certificates in Internet Information Services (IIS)
    • NOTE: Record the Thumbprint for the next step

User-added image  

 For each Web Server which is using the same Archer Application:

  • The screenshot below shows the certificate's Thumbprint from my Personal store in the Certificates snap-in. As can be seen, the Thumbprint matches that of the certificate listed above. We have confirmed that the “My” store we see in PowerShell is the same as the “Personal” store we see in the Certificates snap-in.

User-added image



  1. Run the following Windows command to add the new SSL Certificate to match to the right Certificate Hash and Application ID



Syntax:




netsh http add sslcert ipport=0.0.0.0:8443 certhash=<cert thumbprint minus spaces> appid= '{<appID>}' certstorename=My


 


Here is an example


  • We use the recorded Thumbprint [certhash] and Application ID [appid]



netsh http add sslcert ipport=0.0.0.0:8443 certhash=e060be015c81ae3d8dd446eecc0c10fa06b2ee1b appid='{e182be7b-95c5-492a-92c2-e87311b90b0b}' certstorename=My


 


User-added image
 


  • Notes:
    • There is a equal "=" sign after the certhash
    • certhash=<cert thumbprint minus spaces>
    • Make sure there is no question mark in the beginning of the certhash string. If you copy the above command into the PowerShell terminal, it may add a question mark to the certhash after the equal sign.

User-added image

 

  • Verify and make the new SSL certificate is binding to port 8843
    • Open a Command Prompt
    • Enter the following command and press enter:


netsh http show sslcert 0.0.0.0:8443


User-added image


  1. Start RSA Archer Jobs

  • Navigate to Plugins menu > Job Engine Manager
  • Go to the Servers tab.
  • De-select Discontinue Job Processing.
    • In the Actions pane click Save
 

  1. Start the RSA Archer services on each Web Server and Services Server

  • Run Windows Services as Administrator.
  • Scroll until the RSA Services appear.
  • Right click each RSA Service [Job Engine, Queuing, LDAP Synchronization, Indexing] and start each service except the RSA Configuration Service.
  •  


  1. The RSA Archer [start IIS service]




  • Open a Command Prompt
  • Enter the following command and press enter:




iisreset /START



 


 


Verifying the Advanced Workflow is working using the browser [User Interface]


Run the following command and while you are check the Job Troubleshooting page [Login to Archer > Administration > Job Troubleshooting ]


  • Open a Command Prompt
  • Enter the following command and press enter:




netstat -ano | find "8443"



User-added image

 

  • Check the Advanced Workflow tab in an application with Advanced Workflow [Login to Archer > Administration > Application Builder > Applications > Findings or Business Impact Analysis  > Advanced Workflow tab]  

User-added image


  • Run a test by enrolling the record into the Advanced Workflow. For instance you go to the Contact application and enroll the record into the Advanced Workflow 

User-added image


  • You can also troubleshoot the Advanced Workflow service, you can use the Internet Explorer to visit the Workpoint and from each Web Server try the following URL



  • You should see the following page 

User-added image

 
NotesPlease be careful with the format.

Attachments

    Outcomes