000026879 - Encrypting the Seed and CQ during Upgrade to 7.1 - RSA Adaptive Authentication (On Premise)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026879
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)

RSA Product/Service Type: Adaptive Authentication (OnPrem)

RSA Version/Condition: 7.1 
IssueThe format for the encryption key seeds changed from RSA Adaptive Authentication (On Premise)  6.x SP2/SP3 in comparison with the format in 7.1. This article details the steps to be followed during the upgrade. You will learn how to encrypt the seed and challenge questions during upgrade to AAOP v7.1.

Here are the steps to follow.  Please ensure the below pre-requisites are in place.  If all works properly, you should only need to proceed through Step 12.a. Steps 13-18 have been added for a scenario where AAOP load fails. 
  - Make sure using JDK1.6.0_45
  - Make sure the two JCE6 jar files are there (Unlimited Strength Java Cryptography Extension)
  - Make sure the java.security file has the providers in the proper order and is set to "random" (securerandom.source=file:/dev/random)
1. Verify the existing MSG_CODE_KEYS table in SP2 P1. You may have plain seeds, human readable, from before the encryption
    is enabled or seeds of the format && after encryption is enabled. 
2. Take a dump of existing seeds in the MSG_CODE_KEYS table via the /rsa/utils/encryption/keyManagerUtil.bat –dump command.
3. Make a backup of the existing c-config-security.xml file.
4. Perform upgrade of the database to V7.1.
5. Deploy backoffice.war file. 
6. Login to the BackOffice application and in the Security section enable Security on Seed, Question and Answers. 
7. Add the location for GeoIP and Channel Determination data files.
8. Stop the application server. 
9. Copy the value of the masterSeed in c-config-security.xml from Step 2 to the c-config-security.xml file under 
10. Start application server and ensure the encryption is still enabled in the Security > Seed, Question and Answers parameters.
11. Deploy Adaptive Authentication and verify it can come up without error.  (Make sure the pre-requisites above are all met before AA is deployed.)
12. If AA is loaded successfully then send analyze call and ensure there are no decryption errors and token is sent back in response 
12.a. Once this is successful perform utils_7.1/encryption/keyManagerUtil.bat –rotate to obtain a new FIXED key 
    and copy the modified c-config-security.xml to all the AA apps that are deployed (AA, BackOffice) 
13. IF AA load fails then  - Make sure that encryption is turned on in BackOffice Security section 
14. Copy the msgkeydump generated in Step 2 to new installation directory /rsa/utils_7.1/encryption 7.1 utility
    copy the c-config-security.xml file from Step 3
    call > keyUtil load
    call > keyUtil rotate
15. Stop the application server. 
16. Copy new c-config-security.xml to AA, BackOffice and all other applications. 
17. Start the application server.
18. Send a few analyze request to verify that there are no cookie decryption errors and token is sent back response. 

NotesPlease reference https://rsa-jira.corp.emc.com/browse/AA-15906 for additional details
Legacy Article IDa65592