000038314 - How to update the root (server) and client certificates in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jan 6, 2020Last modified by RSA Customer Support Employee on Feb 4, 2020
Version 67Show Document
  • View in full screen mode

Article Content

Article Number000038314
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.x
IssueAFX Servers and remote collection agents communicate securely through the server.keystore and the client.keystore. The RSA Identity Governance & Lifecycle application is the server and each AFX Server and remote collection agent is the client. These keystores are saved in the oracle database and on the  linux file system. These certificates can get out of sync with each other which can cause AFX and remote collection agents to fail.

This article explains how to update the RSA Identity Governance & Lifecycle root (server) certificate and corresponding client certificates for use with AFX and remote collection agents. Some examples of when you might want to do this are:
  • After an upgrade of the AFX Server.
  • After restoring a database from another system.
  • After restoring an AFX Server archive from another system.
  • After installing the AFX Server archive on a soft-appliance.
  • The client and server certificates are out of sync.
  • You have run modifyhostname.sh.
  • To configure WebSphere or WebLogic to use server.keystore for incoming AFX connections.
ResolutionThe process to regenerate new certificates is:
  1. Update the server certificate.
  2. Update each AFX Server client certificate.
  3. Update each remote collection agent client certificate (if you use remote agents.)

NOTES:
  • AFX and remote agents will not be running until this entire process is completed. Therefore, do this at a time when the system is quiet.
  • The server certificate (first step) does not always need to be regenerated. Sometimes just downloading the server and client keystores is sufficient as long as their fingerprints match. Sometimes only the client certificate needs to be regenerated. Once regenerated, both the server and client keystores may be downloaded and their fingerprints checked. The complete process is to regenerate both the server and client keystores and that is what article describes.



Update the server certificate



  1. In the RSA Identity Governance & Lifecycle user interface go to Admin > System > Security tab.
  2. Under Server Certificate Store for Agent SSL Connections: click the Change Certificate Store button.

User-added image



 



You will see the following dialog message. Click OK to generate the new server certificate. 


User-added image



  1. Click the Download button and save the server.keystore to a location on your computer.
 

User-added image

 

  1. Login to the application server as the oracle user.
  2. Download the new server.keystore to your RSA Identity Governance & Lifecycle application server. In this example the keystore file was downloaded to $AVEKSA_HOME (/home/oracle).
  3. Go to the keystore directory


cd $AVEKSA_HOME/keystore


  1. Backup the existing server.keystore.


mv server.keystore server.keystore.bak


  1. Replace the existing server.keystore with the new server.keystore file that was just downloaded.


mv $AVEKSA_HOME/server.keystore $AVEKSA_HOME/keystore


  1. Restart RSA Identity Governance & Lifecycle.


acm restart

 

Update each AFX Server client certificate



Update the AFX server client certificate for each AFX Server by updating the client.keystore and restarting the AFX and RSA Identity Governance & Lifecycle applications.



  1. In the RSA Identity Governance & Lifecycle user interface go to AFX > Servers.
  2. For each AFX Server, click on the AFX Server name.
  3. Click the Change Certificate button. This action generates a new client certificate based off the new server certificate just generated and ensures the client certificate stored in the database matches the server certificate stored in the database.

User-added image



You will see the following dialog message. Click OK to generate the new client certificate.


User-added image



  1. Click the Download Keystore button and save the client.keystore to a location on your computer.

User-added image



  1. Login to the application server where AFX is installed as the afx user.
  2. Download the new client.keystore to your RSA Identity Governance & Lifecycle AFX server. In this example the keystore file was downloaded to $AVEKSA_HOME (/home/oracle).
  3. Go to the keystore directory.


cd $AFX_HOME/esb/conf


  1. Backup the existing client.keystore.


mv client.keystore client.keystore.bak


  1. Replace the existing client.keystore with the new client.keystore file that was just downloaded.


mv $AVEKSA_HOME/client.keystore $AFX_HOME/esb/conf


  1. Restart AFX and the RSA Identity Governance & Lifecycle application.


afx stop
acm restart
afx start




Update each remote collection agent client certificate



  1. In the RSA Identity Governance & Lifecycle user interface go to Collectors > Agents.
  2. For each remote agent (not the default local AveksaAgent), click on the remote agent name.
  3. Click the Change Certificate button. This action generates a new client certificate based off the new server certificate just generated and ensures the client certificate stored in the database matches the server certificate stored in the database.

User-added image


You will see the following dialog message. Click OK to generate the new server certificate.
 


User-added image


  1. Click the Download Agent button to download a new agent with the new certificate in a zip file called AveksaAgent.zip.

User-added image

 

  1. Login to the remote server that has the remote agent as user oracle.
  2. Download the new AveksaAgent.zip to the remote server. In this example, the zip file was downloaded to /home/oracle.
  3. Stop the agent by running agent_stop.sh in the AveksaAgent/bin directory, as follows:


cd home/oracle/AveksaAgent/bin
./agent_stop.sh


  1. Backup the agent directory.


cd /home/oracle
mv <agent-directory> <agent-directory.bak>


  1. Unzip the agent on the remote server where it runs (replacing the old one).


unzip AveksaAgent.zip


  1. Start the agent by running agent_start.sh in the AveksaAgent/bin directory, as follows:


cd home/oracle/AveksaAgent/bin
./agent_start.sh


 
NotesThe steps in this article ensure that the versions of the client and server certificates in the database and on the file system have the same fingerprints. To check that the keystores have the same fingerprints, you can do the following:
  1. Check the server.keystore:


su oracle
cd $AVEKSA_HOME/keystore
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore server.keystore -alias aveksa_ca


  1. Check the client.keystore for the AFX Server(s).


su {afxuser}
cd $AFX_HOME/esb/conf
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore client.keystore -alias aveksa_ca


  1. Check the client.keystore for the remote collection agent(s).


su oracle
cd /home/oracle/AveksaAgent/conf
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore client.keystore -alias aveksa_ca


  1. Look for the output below and ensure the fingerprints are the same for the server.keystore and the client.keystore. If they differ, repeat the steps in this article.


Certificate fingerprints:
         MD5:  20:C5:53:B6:54:E6:E9:1A:82:C4:B9:03:73:56:CE:BC
         SHA1: DF:8F:78:72:79:36:F0:9C:B8:63:89:CA:10:C6:A9:90:06:1A:64:1D
         SHA256: CB:8B:88:AA:FA:A5:A1:17:31:4A:90:FF:7B:0C:F8:8E:97:AD:0D:84:85:1A:D8:37:BD:2A:8A:94:8A:34:CE:26
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key


 

Attachments

    Outcomes