|Applies To||RSA Product Set: Identity Management and Governance|
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.9.1
Product Description: Access Certification Manager
|Issue||The WebLogic installation guide that is included with RSA Via Lifecycle and Governance mentions that SSL can be used for browser communication if desired, but no instruction is given on how to configure the server to use two different certificates. One for browser communication that is publicly signed, and another for the internal SSL communication for AFX and remote agents.|
|Cause||If you import our server.keystore into your WebLogic keystore it is possible that their will be a conflict with the certificate alias "server" that is commonly used.|
|Workaround||If you have your own certificate that is currently in use, in a WebLogic Keystore and the server alias is "server" run this command to rename the alias prior to importing our server.keystore into your WebLogic keystore/jks as instructed in our RSA Via Lifecycle and Governance Installation Guide V7.0:|
keytool -changealias -keystore server.jks -alias server -destalias aveksa-server
What is important is that there are two different certificates in the JKS both with different aliases that are known to you..
In the WebLogic Administration Console the server's certificate is specified under Environment > Servers > Instance Name > SSL tab > Private Key Alias field.
The certificate alias for AFX/Remote Agents is documented as being created with a channel named Aveksa8444 which can be edited under:
Environment > Servers > Instance Name > Protocols > Aveksa8444 > Security tab > Custom Channel Private Key Alias.
Here are screenshots of a configuration where the WebLogic's JKS has two certificates one named weblogic-server and the other is aveksa-server: