000033163 - How to replace the SSL certificate for communication between RSA Archer and Vulnerability Risk Management

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033163
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: Vulnerability Risk Manager
RSA Version/Condition: 1.1 SP1
 
IssueAn SSL certificate in the certificate chain has been signed using a weak hash algorithm.
CauseOn pages 46 and 47 of the Vulnerability Risk Management (VRM) 1.1 SP1 Installation and Configuration Guide there are steps outlined to create an SSL certificate to govern communication between RSA Archer and the Vulnerability Analytics Windows Host. You have two options:
1.  Create a "self signed" certificate in IIS which ends up being a weak SHA1 certificate
2.  Provide your own certificate that has been issued via a Certificate Authority (CA)
WorkaroundInstall a Customer Certificate
RSA Vulnerability Analytics automatically comes with a self-signed SSL certificate. Users can opt
to install their own Certificate Authority (CA) signed SSL certificate. To successfully install a
customer certificate, you must complete the following:
1. Create a New SSL Certificate
2. Generate a Certificate Signing Request
3. Import the CA Signed Certificate and Supporting Certificates into the New Keystore
4. Edit the vrm-jetty-ssl.xml File
 
 
Enable “Keytool”
 
1. Log on to windows host server
2. Ensure that the JRE1.8(version may vary)\bin is in the system path environment variable:
            a. Go to control panel and search for environment variable
            b. Select PATH variable and ensure that c:\Program Files\Java\JRE1.8<version_number_in_your_host>\bin\ is in the path
            c. If not add  c:\Program Files\Java\JRE1.8<version_number_in_your_host>\bin\  at the end of the PATH variable
 
*note*
 
If you have an existing environment variable please separate it with a “;”
 
Example:
 
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Java\jre7\bin
          d. Open command prompt
 
 
Create a New SSL Certificate
Procedure

1. Log onto the Windows Host server and open a Command Prompt.
2. Navigate to the RSA Vulnerability Analytics web-ui\etc folder:
<Installation Directory>\RSA\VRM\web-ui\etc
Where <Installation Directory> is the name of your directory.
3. Enter the following command to create a new keystore:
keytool -genkeypair -alias vrm -keyalg RSA -keysize 4096 -sigalg
SHA256withRSA -keystore <keystore_name> -ext san=dns:<VA Server
FQDN> -ext san=ip:<VA Server IP>
Where:
l <keystore_name> is what you want to name your new keystore.
l <VA Server FQDN> is the Fully Qualified Domain Name for your RSA Vulnerability
Analytics server.
l <VA Server IP> is the IP address for your RSA Vulnerability Analytics server.
.
4. When prompted, complete the following:
l Enter a new password.
l Enter the FQDN of the RSA Vulnerability Analytics server.
l Select "Yes" to confirm the parameters.
l Press Enter for the key password for <vrm>.
Note: For all other parameters, consult with your Certificate Authority on how to fill these in.
 
Generate a Certificate Signing Request
Procedure

1. Navigate to the RSA Vulnerability Risk Management installation folder and identify the version
of jetty-util present.
2. Open a Command Prompt.
3. Enter the following command using your new keystore name and keystore password created
earlier.
keytool -certreq -alias vrm -keystore <keystore_name> -file
vrm.csr
Where <keystore_name> is the name of your new keystore.
4. When prompted, enter a password for your new keystore.
 
Import the CA Signed Certificate and Supporting Certificates into the New
Keystore
Procedure

1. Ensure that all of the certificates provided by the CA are in the <VRM Installation Directory>\
web-ui\etc folder.
2. Navigate to the RSA Vulnerability Analytics etc folder:
<Installation Directory>\RSA\VRM\web-ui\etc
3. Complete the following to import the different types of certificates. For each imported
certificate, enter your keystore password, and enter "yes" to trust the certificate.
Certificate Command
Root Certificate keytool –import –trustcacerts –keystore
mgmkeystore –alias root –file root.crt
.
Certificate Command
Intermediate Certificates If you are importing more than one intermediate certificate, import
them in order of proximity to the root certificate (highest to lowest
place in the certificate chain).
keytool –import –trustcacerts –keystore
mgmkeystore –alias int1 –file primaryint.crt
keytool –import –trustcacerts –keystore
mgmkeystore –alias int2 –file secondaryint.crt
CA Signed Certificate keytool –import –trustcacerts –keystore
mgmkeystore –alias vrm –file vrm.crt
Note: After entering your password, "Certificate reply was installed
in keystore" appears. If you receive an error, it is likely that the
certificates present in the CA signed certificate's chain are not in the
keystore.
 
Edit the vrm-jetty-ssl.xml File
Procedure

1. Navigate to the RSA Vulnerability Analytics web-ui\lib folder:
<Installation Directory>\RSA\VRM\web-ui\lib
2. Generate an OBF of the keystore password.
Enter the following command.
java –cp jetty-util-8.1.10.v20130312.jar
org.eclipse.jetty.util.security.Password <keystore_password>
Where <keystore_password> is your new keystore password.
3. Copy the OBF string.
4. Navigate to the RSA Vulnerability Analytics web-ui\etc folder.
<Installation Directory>\RSA\VRweb-ui\lib
5. Open the vrm-jetty-ssl.xml for edit.
6. Enter the new keystore and new keystore password.
7. Save the vrm-jetty-ssl.xml.
8. Restart the RSA Vulnerability Risk Management - User Interface service.
9. Confirm that the new certificate is working in the RSA

Attachments

    Outcomes