000038979 - Unable to find valid certification path error when logging on to Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) for RSA Authentication Manager Prime Kit

Document created by RSA Customer Support Employee on Jun 29, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038979
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager, Authentication Manager Prime
Platform: Linux
Issue
  • When a user tries to authenticate to either HDAP or SSP, the authentication fails with the following message:

Authentication Failed 


  • Alternatively, the UI loops back to the login screen.
  • The following error is in the am8.log:


2020-06-08T21:33:59,179+0200,com.rsa.ucm.am8,27,INFO ,[RESULT_STATUS]:
getContext completes in 64ms. Result: (false)
Message: org.springframework.remoting.RemoteAccessException :
Could not access HTTP invoker remote service at [/ims-ws/httpinvoker/CommandServer];
nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target



 
CauseThe RSA Authentication Manager Integration Server (AMIS) server does not trust the RSA Authentication Manager certificate. The connection between the RSA Authentication Manager Prime Kit server and RSA Authentication Manager fails, causing the authentication failure. 
ResolutionTo correct this issue, import the RSA Authentication Manager root certificate into the AMIS truststore.jks. 
  1. Log in to the RSA Authentication Manager Prime server CLI.
  2. Run the following command to get the RSA Authentication Manager root certificate. Replace am84.testlab.com with your RSA Authentication Manager FQDN.

    # openssl s_client -connect am84.testlab.com:7002 -showcerts
    CONNECTED(00000003)
    depth=1 CN = RSA root CA for am84.testlab.com
    verify error:num=19:self signed certificate in certificate chain
    ---
    Certificate chain
    0 s:/CN=am84.testlab.com
       i:/CN=RSA root CA for am84.testlab.com
    -----BEGIN CERTIFICATE-----
    MIIDADCCAeigAwIBAgIQd7RyY5YpUjNT6BcaLREYFjANBgkqhkiG9w0BAQsFADAs
    MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN
    MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFhbTg0LnNh
    YmVybGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAItEiCH8
    cm84nd9ak9zyLxJEjLndgPTzYBXSVmsSkO8mVRchNhg4QcoImj2Vb/oOcs3DAybC
    /cnNOXgACiiA0l3hKjx6Yuno8zW36wI4PO3wsIp4BYgN16WLjECArJsZilYHRMBx
    4LgXVLcCNRNDVclDoWu9Tzi2XdXug+Fr1hCK74amhzHj1hmRLKxc0dO1XKaaht3G
    XC0kgg7Bn8zgx1EQ+0NSbJC9s8qC6pY2b3kasKAkkWx67z40zg744vZWs4cObn41
    iG2WpxNGQkrrIZK+fAZ7W9tNdQFwA+PAUipmF05krh4NaJFcX/Zd9NEmHElsMHRi
    BrvVCUJdmorWXQUCAwEAAaMuMCwwDAYDVR0TAQH/BAIwADAcBgNVHREEFTATghFh
    bTg0LnNhYmVybGFiLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAjx3FxuGBQtpy1PY0
    8zDK+swMQQZGrA0O7evx02hnJgialETxlH9nPA1aOlvOtds0YJNf0qrsX+auylxm
    28b67e61bTzMqcJGXEnyDwVn4k1+sKi6L7q++bVaWOAFNtv3DlqcQG+oAviJsk2v
    PRj1OqRdcP2nVvFosaWCI5KiK9fjI9FIzKDVWM62BGyOLzSlzJPPc/q9dvi5Tqwq
    G4vrK82xyH0kPnOH/9edSVXypEhVRVONDPzjQ+Wm/UqQaQ6y/rny3KjUMQIqORjG
    psh0kbkQMPiPP7HizJiUmlC83rIkEbMjSQgUtlEyEH9C06YVyVQwWs5tRuSLV3d0
    ds2oTQ==
    -----END CERTIFICATE-----
    1 s:/CN=RSA root CA for am84.testlab.com
       i:/CN=RSA root CA for am84.testlab.com
    -----BEGIN CERTIFICATE-----
    MIIDFjCCAf6gAwIBAgIQQG5GCR508OGVjrg3mG5FlDANBgkqhkiG9w0BAQsFADAs
    MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN
    MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFSU0Egcm9v
    dCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
    DwAwggEKAoIBAQCg0dOTxAdWKfDsViAZ5tQHmJ5mxdzwrkXFDfmqVbixIr6T1GM+
    nah+rfTecjkbs4Q8+VnN341eTFdTkgD0CCBdemMm1abH2YviiyqV3qYXuVggDR/J
    cuO66oVS2lZqbxfUaT4V/oTH2PqWFVz5XHHcLQycFgTgOuFPAzKZhb3B7HaRngGX
    KNjHTbXkdKeRoxtjJC0Frj9liZaxZ3XcTH9aSB5+dWNn14W81Fxb+oao/wf8O0o9
    kXIZ8rzkIvKO7Btr5yz8NpqpYjm/4s8j4TXUz5dm4aJU7RQCSyEG6QpxnYinte0k
    DcWoCzyT3NSOYlMvm/t1rJFwH2c97gBcSBzjAgMBAAGjNDAyMBIGA1UdEwEB/wQI
    MAYBAf8CAQEwHAYDVR0RBBUwE4IRYW04NC5zYWJlcmxhYi5jb20wDQYJKoZIhvcN
    AQELBQADggEBAD5wsTkk9rEKFdp1NbLHdPjdhEn91BlMlj047Nq/5KvD85THWd73
    MpM/V9Vfx3SR+t8vXmPRD1C5NlxaCR2Q9nscMX3xl337s1dVXN0BT11vzZiG3OAD
    3b2yOCrGTL8NYggtgWzD9FVAnbiIqM7RduckpvpwzK2Y3weekBVAkelmWGoRuYtv
    CF36UUghEKYd3a4vjIJmoLasDn/meW6IQB0RO1LTggRhBRRRcxt+e2dHWc+WnDr4
    lX6ODLY7U2I5+4n1Vyq/42bvXVsAuijS90khbHAx9GTo1nqTQRmUri4X9bTjH8lF
    e6ftQ6yfEn2Upms6uTPu66KBPED+7wZtsP4=
    -----END CERTIFICATE-----

  3. Create a new certificate file:

    touch /tmp/amrootCA.cer

  4. Open the new /tmp/amrootCA.cer in a text editor and copy the root CA certificate into that file:

    -----BEGIN CERTIFICATE-----
    MIIDFjCCAf6gAwIBAgIQQG5GCR508OGVjrg3mG5FlDANBgkqhkiG9w0BAQsFADAs
    MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN
    MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFSU0Egcm9v
    dCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
    DwAwggEKAoIBAQCg0dOTxAdWKfDsViAZ5tQHmJ5mxdzwrkXFDfmqVbixIr6T1GM+
    nah+rfTecjkbs4Q8+VnN341eTFdTkgD0CCBdemMm1abH2YviiyqV3qYXuVggDR/J
    cuO66oVS2lZqbxfUaT4V/oTH2PqWFVz5XHHcLQycFgTgOuFPAzKZhb3B7HaRngGX
    KNjHTbXkdKeRoxtjJC0Frj9liZaxZ3XcTH9aSB5+dWNn14W81Fxb+oao/wf8O0o9
    kXIZ8rzkIvKO7Btr5yz8NpqpYjm/4s8j4TXUz5dm4aJU7RQCSyEG6QpxnYinte0k
    DcWoCzyT3NSOYlMvm/t1rJFwH2c97gBcSBzjAgMBAAGjNDAyMBIGA1UdEwEB/wQI
    MAYBAf8CAQEwHAYDVR0RBBUwE4IRYW04NC5zYWJlcmxhYi5jb20wDQYJKoZIhvcN
    AQELBQADggEBAD5wsTkk9rEKFdp1NbLHdPjdhEn91BlMlj047Nq/5KvD85THWd73
    MpM/V9Vfx3SR+t8vXmPRD1C5NlxaCR2Q9nscMX3xl337s1dVXN0BT11vzZiG3OAD
    3b2yOCrGTL8NYggtgWzD9FVAnbiIqM7RduckpvpwzK2Y3weekBVAkelmWGoRuYtv
    CF36UUghEKYd3a4vjIJmoLasDn/meW6IQB0RO1LTggRhBRRRcxt+e2dHWc+WnDr4
    lX6ODLY7U2I5+4n1Vyq/42bvXVsAuijS90khbHAx9GTo1nqTQRmUri4X9bTjH8lF
    e6ftQ6yfEn2Upms6uTPu66KBPED+7wZtsP4=
    -----END CERTIFICATE-----

  5. Check the AMIS setenv.sh file (by default it is in <Prime_installation_directory>/configs/amis/tomcat-amis/setenv.sh) to confirm the truststore.jks location and password:

    #!/bin/sh
    # AM PRIME VARIABLES =============================================================
    # OPTIONAL TO UPDATE
    TOMCAT_HTTPS_PORT=8443
    export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/amis_keystore_new.jks"
    export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass='password'"
    export CATALINA_OPTS="$CATALINA_OPTS -Dssl.alias=amis"
    export CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStore=$AMPRIMECWD/certificates/truststore.jks"
    export CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStorePassword='password'"

    #export CATALINA_OPTS="$CATALINA_OPTS -Dsyslog.server=logs.company.com"
    ...

  6. Import the certificate into the truststore.jks. Enter the file password when prompted. The installation directory might be different to each instance, but the file names are the same.

    /opt/rsa/primekit/java/latest/bin/keytool -import -alias am8rootca \
    -file /tmp/amrootCA.cer -keystore /opt/rsa/primekit/certificates/truststore.jks

    Enter keystore password:

  7. When prompted whether to trust the certificate, type yes and press Enter

    Trust this certificate? [no]:  yes
    Certificate was added to keystore

  8. Restart the RSA Authentication Manager Prime Kit services:

    service tomcat-amis restart
    service tomcat-hdap restart
    service tomcat-ssp restart

Notes
  • The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change. 
  • Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.

Attachments

    Outcomes