000017084 - How to renew the self-signed SSL Certificate on Enterprise Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017084
Applies ToRSA Data Loss Prevention Suite 7.x
For DLP 8.5 and greater, please see KB article a63414
IssueHow to renew the self-signed SSL Certificate on Enterprise Manager
Seeing certificate expired (September 20th, 2010) warning on the browser when attempting to login to Enterprise Manager
Not seeing Events or Incidents generated on the Enterprise Manager
Seeing "audit.zip" and "event.zip" files queued up on the Network Controller's /opt/rsa/controller/audit/smtp and /opt/rsa/controller/em/events directories respectively
Example of error seen in the /var/log/messages file:
Sep 22 07:39:49 sfldtablusct Monitor[4653]: 2010-09-22 06:39:49.350Z INFO TAB-0001 Controller Monitor ProcessMonitorThread-emconnector MONITOR ERROR - HttpChannel.sendViaClient(144) | javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Mon Sep 20 07:48:29 BST 2010
CauseThe pre-generated self-signed certificate shipped with DLP version 7.x or earlier expired on September20th, 2010
ResolutionUse the following steps to renew the self-signed certificate on the Enterprise Manager to enable flow of events back to the Enterprise Manager:

Setting or Updating the Distinguished Name of and Creating or Renewing the Self-signed SSL Certificate for Enterprise Manager

The following steps are required:

1.     Stop the EM Service

2.     Backup the existing keystore

3.     Determine the key-store and key passwords

4.     Create the new certificate

5.     Start the EM Service

6.     Check the new certificate

7.     Remove the backed up certificate store

For all these steps, the operator must be logged in to the EM host with appropriate rights.

Stop EM Service

Ensure that there are no active EM users.
Using the 'Services' MMC plugin, stop the RSA DLP Enterprise Manager.

Backup keystore

In the directory:

%PROGRAM_FILES%\RSA\Enterprise Manager\etc

the key-store file is called:


Make sure to preserve that file, e.g., using:

xcopy /b tem-keystore tem-keystore.old

This file can be used to undo the change in the credential.

Lookup Passwords

Examine the file:

%PROGRAM_FILES%\RSA\Enterprise Manager\etc\tem-jetty.xml

This file contains entries for that indicate the key-store and key passwords required when installing the certificate.

They can be found in sections that look like this:

<Call name="addConnector">


<New class="org.mortbay.jetty.security.SslSocketConnector">

  <Set name="Port">443</Set>

  <Set name="maxIdleTime">30000</Set>

  <Set name="handshakeTimeout">2000</Set>

<Set name="keystore">

  <SystemProperty name="jetty.home" default="." />



  <Set name="password">tablusem</Set>

  <Set name="keyPassword">tablusem</Set>

<Set name="truststore">

  <SystemProperty name="jetty.home" default="." />



  <Set name="trustPassword">tablusem</Set>

  <Set name="handshakeTimeout">2000</Set>




Note the "keyPassword" and "password" nodes.

These contain the values you will need in the next step for the -storepass and -keypass parameters respectively.

By default both passwords are set to "tablusem"

Create a New Certificate

Open a command prompt window and change to the following directory:

%PROGRAM_FILES%\RSA\Enterprise Manager\etc\

Remove the previous credential with the following command:

..\..\JRE\bin\keytool.exe -delete -alias jetty -keystore tem-keystore -storepass pw-in-xml


?        the -storepass parameter (place-holder pw-in-xml) match the passwords determined in the previous step.

Create the new certificate with the following command:

..\..\JRE\bin\keytool.exe -genkey -v -alias jetty -dname "CN=host-dns" -validity days -keypass pw-in-xml -keystore tem-keystore -storepass pw-in-xml


?        the place-holder host-dns is replaced with the name of the Enterprise Manager host (as used in the URL)

?        the -storepass and -keypass parameters (place-holder pw-in-xml) match the passwords determined in the previous step.

?        the placeholder days is the duration of validity for the certificate (the length of time before it needs to be updated): usually 1 year specified as 365

Start EM Service

Again using the "Services" MMC plug-in, start the EM service.

Check EM

Ensure that EM is running correctly, that HTTPS connections are accepted and that you can log in.

Because you have created a self-signed certificate, it will not be 'trusted' by browsers, this is the disadvantage of using a self-signed certificate rather than a certificate generated by a Certificate Authority. It is possible to follow the browser's instructions for 'installing' the certificate so that it is trusted in the future, but you must understand the overall security implications of installing (trusting) any certificates as they relate to your browser and operating system.

If there are issues, it is possible to restore the tem-keystore file with the backup copy created earlier.


Once EM is demonstrated to be correctly functioning, be sure and to remove the tem-certstore.bak file if created above because it is important that this file not be confused with the new file in the future.


For rebuilding the SSL certifcate on the DLP Network devices, please refer to solution a40781

Legacy Article IDa52392