000038456 - Entrust CA Certificate Update for Live Services on the RSA NetWitness Platform

Document created by RSA Customer Support Employee on Feb 7, 2020Last modified by RSA Customer Support Employee on Feb 14, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038456
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Server (UI Admin)
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: 6
IssueVersion 10.6.x.x of the RSA NetWitness Platform and prior deployments will encounter certificate validation failures for all RSA NetWitness Live Services provided by cms.netwitness.com after 16 February 2020.
CauseThe certificate update on 16 February 2020 changes the cms.netwitness.com certificate issuer from GoDaddy to Entrust. RSA NetWitness Platform 10.6.x.x and prior deployments do not contain Entrust Root Certificate.
Resolution

If you receive a password error when performing steps that change the keystore, confirm that the keystore password has not changed from the default of changeit. If it has changed, replace -storepass changeit with -storepass <custom password> in the commands that are outlined in this document.



Install the Entrust CA Certificate on RSA NetWitness 10.6.x.x and prior deployments by performing the following steps:



  1. Download the Entrust CA certificate (Entrust Root Certificate Authority—G2) available at Entrust Root Certificate Download. The Download button for the certificate should be toward the bottom of the page.
  2. SSH to the RSA NetWitness Admin (UI) server. Run the following command that prints the fingerprint/thumbprint of the entrust-g2 certificate if it exists in the current keystore.

Note: If the certificate is not already installed, an exception error is displayed about the certificate not existing or loading.

$ keytool -exportcert -keystore /etc/pki/java/cacerts -storepass changeit -alias entrustrootcertificationauthority-g2 | openssl x509 -inform DER -noout -fingerprint -sha1 | awk '{print $2}'
Output:
Fingerprint=8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4



  1. Compare the output from the previous step to the thumbprint found on the Entrust download link in step 1.

  • If the fingerprint output matches the thumbprint, no further work is needed. Disregard the remainder of this guide.
  • If no fingerprint was returned from the previous step, go to step 4.
  • If the fingerprint output does not match the thumbprint for the Entrust CA, run the following command to remove it from the keystore.

$ keytool -delete -keystore /etc/pki/java/cacerts -storepass changeit -alias entrustrootcertificationauthority-g2


  1. Copy the downloaded Entrust CA certificate from step 1 to the /tmp directory of the RSA NetWitness Admin (UI) server.
  2. Import the Entrust CA certificate into the keystore from the /tmp directory.

$ keytool -importcert -keystore /etc/pki/java/cacerts -storepass changeit -alias entrustrootcertificationauthority-g2 -file /tmp/<certificate_file_name>.cer

For example, 
$ keytool -importcert -keystore /etc/pki/java/cacerts -storepass changeit -alias entrustrootcertificationauthority-g2 -file /tmp/entrust_g2_ca.cer


  1. Verify the fingerprint of the newly imported Entrust CA to confirm that it is now in the keystore. Run the following command and compare the fingerprint to the thumbprint found at the link in Step 1.

$ keytool -exportcert -keystore /etc/pki/java/cacerts -storepass changeit -alias entrustrootcertificationauthority-g2 | openssl x509 -inform DER -noout -fingerprint -sha1 | awk '{print $2}'

Output:
Fingerprint=8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4


  1. If everything matches, restart the RSA NetWitness Admin (UI) server for the new certificate to take effect.

Attachments

    Outcomes