000030130 - How to replace the server certificate used for the RSA Identity Governance & Lifecycle appliance web administration interface

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000030130
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 6.8.x, 6.9.x, 7.0.0
Resolution

For versions 6.8.x and 6.9.x


  • JBoss will load keystores and truststores based on the configuration found in /home/oracle/jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/server.xml.
  • By default the keystores and truststores are found in /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore.

For version 7.0.0


  • Wildfly will load keystores and truststores based on the configuration found in /home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml.
  • By default the keystores and truststores are found in /home/oracle/keystore

If your goal is to modify the web server certificate that a user sees when connecting to the IMG web console, you will need to edit the keystore called aveksa.keystore. After modification, this keystore should contain the web server's private key, its' associated signed certificate, and all CA certificates up to the root CA.
The following commands assume you will be creating a new keystore file called my.keystore which will later be used to replace the existing aveksa.keystore. The example below utilizes a server hostname of via-img.rsa.com

  1. Go to the default keystore and truststore location for your version:
  • For versions 6.8.x and 6.9.x

cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore


  • For version 7.0.0

cd /home/oracle/keystore


  1. Create a new keystore file and new RSA 2048 bit keypair, use the password when Av3k5a15num83r0n3 prompted:

keytool -genkeypair -keysize 2048 -alias server -dname "CN=via-img.rsa.com" -keyalg RSA -keystore my.keystore


  1. Generate a certificate request (PKCS#10) from that keypair, use the password when Av3k5a15num83r0n3 prompted:

keytool -certreq -alias server -file via-img.rsa.com.csr -keystore my.keystore


  1. Submit the certificate request (via-img.rsa.com.csr) to your CA for signing.  The steps below assume the following:
  • cert.pem is the newly signed certificate generated from the certificate request
  • sub.pem is the issuing CA of the certificate.
  • root.pem is the root CA that signed the issuing CA sub.pem
  1. Import the root CA in the keystore as a trusted CA component:

keytool -import -v -trustcacerts -alias root -file root.pem -keystore my.keystore


  1. Import the issuing CA in the keystore as a trusted CA component:

keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore my.keystore


  1. Import the certificate in the keystore:

keytool -importcert -v -alias server -file cert.pem -keystore my.keystore


  1. You can review the keystore entries with the following command:

keytool -list -v -keystore my.keystore


  1. Make a copy of your current keystore file should you need to revert the changes.

cp -fp aveksa.keystore aveksa.keystore.ori


  1. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:

ls -l *.keystore


  1. Replace aveksa.keystore with my.keystore and restart the services.:

cp -pr my.keystore aveksa.keystoe
acm restart



  1. Hit the appliance login page using a browser and verify that the new certificate is being presented by the appliance.
To revert these changes, run the following commands:


mv aveksa.keystore my.keystore
cp -pr aveksa.keystore.ori aveksa.keystore
acm restart


Attachments

    Outcomes