Resolution | Perform the tasks at the command line where SSH has been enabled via the Operations Console:
- Login to the Operations Console and navigate to Administration > Operating System Access.
- Check the option to Enable SSH.
- Click Save.
NOTE: The password for the rsaadmin account is created during the deployment of the Authentication Manager instance and is unknown to RSA Customer Support.
- The keytool is used to perform the tasks with the JKS keystores and keytool is located in /opt/rsa/am/appserver/jdk/bin.
- The JKS keystores are located in /opt/rsa/am/server/security.
- The rsautil is located in /opt/rsa/am/utils.
Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password
- Navigate to the utils folder
cd /opt/rsa/am/utils
- Obtain the required passwords (signing keys) for unlocking the JKS keystores
rsaadmin@app81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key Please enter OC Administrator username: <enter the name of the Operations Console administrator> Please enter OC Administrator password: <enter the password of the Operations Console administrator> Secrets stored in ./etc/systemfields.properties. Command API Client User ID ............................: CmdClient_9uwbaoze Command API Client User Password ......................: N04vujpJYzkePDn0vf0zjnu2NmEJ1f SSL Server Identity Certificate Private Key Password ..: jkN1075giQ9IIFD8Pg6uVq4BGFB9yU SSL Server Identity Certificate Keystore File Password : g972SpITERSGMtYCZWevKd4UTVuZUw Root Certificate Private Key Password .................: rSl0jKaSPUFww2fb0KVfJdbUIFwQK3 Root Certificate Keystore File Password ...............: Rg10rVYLQW8fNHEdMxbgucWlMQ1mAX
The "listkeys" action displays the key names to use when setting the values. rsaadmin@app81p:/opt/rsa/am/utils>
Check the Alias for the key pair
- An administrator can use the Operations Console to access Deployment Configuration > Certificates > Virtual Host Certificate Management to check the Alias of the key pair entry. For example:
- An administrator can check the contents of the required JKS keystore at the command line.
- Navigate to /opt/rsa/am/server/security:
cd /opt/rsa/am/server/security
- Display the contents of the JKS keystore (vh-inactive.jks) with the command ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks. Note that the SSL Server Identity Certificate Keystore File Password is required to unlock the JKS keystore. For example:
rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -list -keystore /opt/rsa/am/server/security/vh-inactive.jks Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password captured above in step 2 for Obtain the SSL Server Identity Cert Keystore File Password and the SSL Server Identity Certificate Private Key Password>
Keystore type: JKS Keystore provider: SUN
Your keystore contains 4 entries
Alias name: selfservice Creation date: Jun 20, 2017 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: EMAILADDRESS=mark.bell@rsa.com, CN=selfservice.csau.ap.rsa.net, OU=CS, O=RSA, L=Sydney, ST=NSW, C=AU Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net Serial number: 2d00000004979cbf90acd43dd4000000000004 Valid from: Tue Jun 20 09:36:19 EST 2017 until: Thu Jun 20 09:36:19 EST 2019 Certificate fingerprints: MD5: E3:F9:C2:7B:BD:A6:A5:07:CF:CE:DA:50:8F:93:1E:46 SHA1: 42:ED:F2:41:76:ED:14:FC:1E:D5:E6:00:B9:F9:E0:75:0E:6E:5B:59 Signature algorithm name: SHA256withRSA Version: 3 Certificate[2]: Owner: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net Serial number: 1b0fa756985bbfb6473f9d1e67ea33c9 Valid from: Tue Apr 18 15:12:19 EST 2017 until: Mon Apr 18 15:22:18 EST 2022 Certificate fingerprints: MD5: 2D:63:60:60:4E:F8:52:8D:8D:B6:E1:33:99:E8:FB:E3 SHA1: 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91 Signature algorithm name: SHA256withRSA Version: 3
******************************************* *******************************************Alias name: selfservice-signing-ca Creation date: Jun 20, 2017 Entry type: trustedCertEntry
Owner: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net Issuer: CN=csau-HARLEY-CA, DC=csau, DC=ap, DC=rsa, DC=net Serial number: 1b0fa756985bbfb6473f9d1e67ea33c9 Valid from: Tue Apr 18 15:12:19 EST 2017 until: Mon Apr 18 15:22:18 EST 2022 Certificate fingerprints: MD5: 2D:63:60:60:4E:F8:52:8D:8D:B6:E1:33:99:E8:FB:E3 SHA1: 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91 Signature algorithm name: SHA256withRSA Version: 3
******************************************* *******************************************
Alias name: rsa-am-ca Creation date: Jun 20, 2017 Entry type: trustedCertEntry
Owner: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net Serial number: -79217c0c7b67e63bef60e85a0263e555 Valid from: Thu Oct 13 13:12:13 EST 2016 until: Thu Jan 01 00:00:00 EST 2037 Certificate fingerprints: MD5: 62:EE:78:BA:04:08:6F:2C:39:03:94:77:FC:BD:66:30 SHA1: BE:68:44:F5:B8:89:10:17:A8:D1:1E:04:16:5F:36:C5:D0:BD:0F:7C Signature algorithm name: SHA1withRSA Version: 3
******************************************* *******************************************
Alias name: virtualhost-id-key Creation date: Jun 20, 2017 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: SERIALNUMBER=372302feed2e7006d6e382ea9f1621f26fac9ec7c58d46b17085801ff7d1f228, CN=selfservice.csau.ap.rsa.net Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net Serial number: 3e26c3d9a3556994a90be1cd6f334b09 Valid from: Mon Jun 19 09:40:19 EST 2017 until: Sun Jun 20 09:40:19 EST 2027 Certificate fingerprints: MD5: 97:83:19:8C:AD:09:4F:76:5E:F4:B1:DD:16:5E:6A:AF SHA1: 43:49:AE:E1:6D:28:49:17:FD:1E:CF:C1:05:58:7E:9B:95:B6:5B:A4 Signature algorithm name: SHA1withRSA Version: 3 Certificate[2]: Owner: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net Issuer: SERIALNUMBER=17e259f1c1d1b00e9f399cd0a36704a1c317ea8f27360f2e6e7786e4ddd1df9d, CN=RSA root CA for app81p.csau.ap.rsa.net Serial number: -79217c0c7b67e63bef60e85a0263e555 Valid from: Thu Oct 13 13:12:13 EST 2016 until: Thu Jan 01 00:00:00 EST 2037 Certificate fingerprints: MD5: 62:EE:78:BA:04:08:6F:2C:39:03:94:77:FC:BD:66:30 SHA1: BE:68:44:F5:B8:89:10:17:A8:D1:1E:04:16:5F:36:C5:D0:BD:0F:7C Signature algorithm name: SHA1withRSA Version: 3
******************************************* *******************************************
rsaadmin@app81p:/opt/rsa/am/server/security>
Export only the key pair to a new JKS container using the Alias
- To export the key pair (in this example called selfservice) into a new JKS keystore (created in /tmp) use the command ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice -destkeystore /tmp/export.jks. For example:
rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -srcalias selfservice -destkeystore /tmp/test.jks Enter destination keystore password: Re-enter new password: Enter source keystore password: Enter key password for <selfservice> [Storing /tmp/test.jks] rsaadmin@app81p:/opt/rsa/am/server/security>
- The destination password is provided by the administrator (e. g., password01) for the new JKS keystore.
- The source keystore password is the SSL Server Identity Certificate Keystore File Password.
- The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.
Convert the JKS keystore to PKCS#12 format generating a PFX file
- To convert the new JKS keystore into a PFX file use the following command: ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx. For example:
rsaadmin@app81p:/opt/rsa/am/server/security> ../../appserver/jdk/bin/keytool -v -importkeystore -srckeystore /tmp/export.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore /tmp/keypair.pfx Enter destination keystore password: Re-enter new password: Enter source keystore password: Enter key password for <selfservice> Entry for alias selfservice successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled [Storing /tmp/keypair.pfx] rsaadmin@app81p:/opt/rsa/am/server/security>
- IMPORTANT: The destination password is the SSL Server Identity Certificate Private Key Password
- The source keystore password was set by the administrator when creating the new JKS keystore in /tmp.
- The key password for <Alias> (e. g., <selfservice>) is the SSL Server Identity Certificate Private Key Password.
The PFX file is protected with a password and the key pair in the PFX file is also protected by a signing key/password. It is important that these passwords match else it will cause a problem when using the PFX file with another utility (e. g., OpenSSL) or importing the PFX file into a web browser. For example, the following is a Certificate Import Wizard error for Microsoft Internet Explorer:
Older Windows platforms may report the following:
|
Notes | This solution does not work in Authentication Manager 8.2. This article will be updated at at later date. Private keys need to be handled with care and handled securely.
- Do not leave files containing key pairs exposed on a file server or remote share.
- Ensure the appropriate protection is given that meets your company, organization or facilities security requirements and/or policies.
IMPORTANT: Should an administrator use openSSL to convert the PFX file to a PEM formatted file, then the password used to protect the PFX file must match the SSL Server Identity Certificate Private Key Password. Where the PFX password does not match the SSL Server Identity Certificate Private Key Password then this will generate an error. For example:
rsaadmin@app81p:/opt/rsa/am/server/security> openssl pkcs12 -in /tmp/keypair.pfx -out /tmp/keypair.pem -nodes Enter Import Password: <enter the SSL Server Identity Certificate Private Key Password> MAC verified OK
Error outputting keys and certificates 140190678206120:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: 140190678206120:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108: 140190678206120:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139: rsaadmin@app81p:/opt/rsa/am/server/security>
|