|Applies To||RSA Product Set: Security Management|
RSA Product/Service Type: Vulnerability Risk Manager
RSA Version/Condition: 1.1 SP1
|Issue||An SSL certificate in the certificate chain has been signed using a weak hash algorithm.|
|Cause||On pages 46 and 47 of the Vulnerability Risk Management (VRM) 1.1 SP1 Installation and Configuration Guide there are steps outlined to create an SSL certificate to govern communication between RSA Archer and the Vulnerability Analytics Windows Host. You have two options:|
1. Create a "self signed" certificate in IIS which ends up being a weak SHA1 certificate
2. Provide your own certificate that has been issued via a Certificate Authority (CA)
|Workaround||Install a Customer Certificate|
RSA Vulnerability Analytics automatically comes with a self-signed SSL certificate. Users can opt
to install their own Certificate Authority (CA) signed SSL certificate. To successfully install a
customer certificate, you must complete the following:
1. Create a New SSL Certificate
2. Generate a Certificate Signing Request
3. Import the CA Signed Certificate and Supporting Certificates into the New Keystore
4. Edit the vrm-jetty-ssl.xml File
1. Log on to windows host server
2. Ensure that the JRE1.8(version may vary)\bin is in the system path environment variable:
a. Go to control panel and search for environment variable
b. Select PATH variable and ensure that c:\Program Files\Java\JRE1.8<version_number_in_your_host>\bin\ is in the path
c. If not add c:\Program Files\Java\JRE1.8<version_number_in_your_host>\bin\ at the end of the PATH variable
If you have an existing environment variable please separate it with a “;”
d. Open command prompt
Create a New SSL Certificate
1. Log onto the Windows Host server and open a Command Prompt.
2. Navigate to the RSA Vulnerability Analytics web-ui\etc folder:
Where <Installation Directory> is the name of your directory.
3. Enter the following command to create a new keystore:
keytool -genkeypair -alias vrm -keyalg RSA -keysize 4096 -sigalg
SHA256withRSA -keystore <keystore_name> -ext san=dns:<VA Server
FQDN> -ext san=ip:<VA Server IP>
l <keystore_name> is what you want to name your new keystore.
l <VA Server FQDN> is the Fully Qualified Domain Name for your RSA Vulnerability
l <VA Server IP> is the IP address for your RSA Vulnerability Analytics server.
4. When prompted, complete the following:
l Enter a new password.
l Enter the FQDN of the RSA Vulnerability Analytics server.
l Select "Yes" to confirm the parameters.
l Press Enter for the key password for <vrm>.
Note: For all other parameters, consult with your Certificate Authority on how to fill these in.
Generate a Certificate Signing Request
1. Navigate to the RSA Vulnerability Risk Management installation folder and identify the version
of jetty-util present.
2. Open a Command Prompt.
3. Enter the following command using your new keystore name and keystore password created
keytool -certreq -alias vrm -keystore <keystore_name> -file
Where <keystore_name> is the name of your new keystore.
4. When prompted, enter a password for your new keystore.
Import the CA Signed Certificate and Supporting Certificates into the New
1. Ensure that all of the certificates provided by the CA are in the <VRM Installation Directory>\
2. Navigate to the RSA Vulnerability Analytics etc folder:
3. Complete the following to import the different types of certificates. For each imported
certificate, enter your keystore password, and enter "yes" to trust the certificate.
Root Certificate keytool –import –trustcacerts –keystore
mgmkeystore –alias root –file root.crt
Intermediate Certificates If you are importing more than one intermediate certificate, import
them in order of proximity to the root certificate (highest to lowest
place in the certificate chain).
keytool –import –trustcacerts –keystore
mgmkeystore –alias int1 –file primaryint.crt
keytool –import –trustcacerts –keystore
mgmkeystore –alias int2 –file secondaryint.crt
CA Signed Certificate keytool –import –trustcacerts –keystore
mgmkeystore –alias vrm –file vrm.crt
Note: After entering your password, "Certificate reply was installed
in keystore" appears. If you receive an error, it is likely that the
certificates present in the CA signed certificate's chain are not in the
Edit the vrm-jetty-ssl.xml File
1. Navigate to the RSA Vulnerability Analytics web-ui\lib folder:
2. Generate an OBF of the keystore password.
Enter the following command.
java –cp jetty-util-8.1.10.v20130312.jar
Where <keystore_password> is your new keystore password.
3. Copy the OBF string.
4. Navigate to the RSA Vulnerability Analytics web-ui\etc folder.
5. Open the vrm-jetty-ssl.xml for edit.
6. Enter the new keystore and new keystore password.
7. Save the vrm-jetty-ssl.xml.
8. Restart the RSA Vulnerability Risk Management - User Interface service.
9. Confirm that the new certificate is working in the RSA