000030130 - How to replace the server certificate used for the RSA Identity Governance and Lifecycle appliance web administration interface

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Oct 14, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030130
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Product/Service Type: Appliances and SoftAppliances
RSA Version/Condition: 6.8.x, 6.9.x, 7.0.x
IssueNewer browsers throwing error NET::ERR_CERT_COMMON_NAME_INVALID when SAN attribute is not present.
Resolution

For versions 6.8.x and 6.9.x


  • JBoss will load keystores and truststores based on the configuration found in /home/oracle/jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/server.xml.
  • By default the keystores and truststores are found in /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore.

For version 7.0.x


  • Wildfly will load keystores and truststores based on the configuration found in /home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml.
  • By default the keystores and truststores are found in /home/oracle/keystore

If your goal is to modify the web server certificate that a user sees when connecting to the IMG web console, you will need to edit the keystore called aveksa.keystore. After modification, this keystore should contain the web server's private key, its' associated signed certificate, and all CA certificates up to the root CA.
The following commands assume you will be creating a new keystore file called my.keystore which will later be used to replace the existing aveksa.keystore. The example below utilizes a server hostname of via-img.rsa.com

  1. Go to the default keystore and truststore location for your version:
  • For versions 6.8.x and 6.9.x


cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore


  • For version 7.0.x


cd /home/oracle/keystore


  1. Create a new keystore file and new RSA 2048 bit keypair, use the password when Av3k5a15num83r0n3 prompted.  This example creates a certificate valid for the URLs rsa-img.rsa.com and rsa-img


keytool -genkeypair -keysize 2048 -alias server -keyalg RSA -keystore my.keystore -dname "CN=rsa-img.rsa.com" -ext san=dns:rsa-img.rsa.com,dns:rsa-img


  1. Generate a certificate request (PKCS#10) from that keypair, use the password when Av3k5a15num83r0n3 prompted:


keytool -certreq -alias server -file rsa-img.rsa.com.csr -keystore my.keystore -ext san=dns:rsa-img.rsa.com,dns:rsa-img


  1. Submit the certificate request (rsa-img.rsa.com.csr) to your CA for signing.  The steps below assume the following:
  • cert.pem is the newly signed certificate generated from the certificate request
  • sub.pem is the issuing CA of the certificate.
  • root.pem is the root CA that signed the issuing CA sub.pem
  1. Import the root CA in the default truststore (cacerts) as a trusted CA component (The default password is changeit):


keytool -import -v -trustcacerts -alias root -file root.pem -keystore $JAVA_HOME/jre/lib/security/cacerts


  1. Import the issuing CA in the default truststore (cacerts) as a trusted CA component (The default password is changeit):


keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore $JAVA_HOME/jre/lib/security/cacerts


  1. Import the root CA in the keystore as a trusted CA component:


keytool -import -v -trustcacerts -alias root -file root.pem -keystore my.keystore


  1. Import the issuing CA in the keystore as a trusted CA component:


keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore my.keystore


  1. Import the certificate in the keystore:


keytool -importcert -v -alias server -file cert.pem -keystore my.keystore


  1. You can review the keystore entries with the following command:


keytool -list -v -keystore my.keystore


  1. Make a copy of your current keystore file should you need to revert the changes.


cp -fp aveksa.keystore aveksa.keystore.ori


  1. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:


ls -l *.keystore


  1. Replace aveksa.keystore with my.keystore and restart the services.:


cp my.keystore aveksa.keystore
chown oracle:oinstall aveksa.keystore
acm restart



  1. Hit the appliance login page using a browser and verify that the new certificate is being presented by the appliance.
To revert these changes, run the following commands:



mv aveksa.keystore my.keystore
cp aveksa.keystore.ori aveksa.keystore
chown oracle:oinstall aveksa.keystore
acm restart


Attachments

    Outcomes