000030659 - RSA Authentication Manager 8.1 services do not start after activating a new console certificate

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030659
Applies ToRSA Product Set: SecurID
RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.1
Issue

  • After importing and activating a new console certificate, the AM services do not start and crash every time you try to start them.



  • Running the rsaserv script to start the services results in the output below:


rsaadmin@am81p:~> cd /opt/rsa/am/server/
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv status all
RSA Database Server                                        [RUNNING]
RSA Administration Server with Operations Console          [RUNNING]
RSA RADIUS Server Operations Console                       [SHUTDOWN]
RSA Runtime Server                                         [SHUTDOWN]
RSA RADIUS Server                                          [SHUTDOWN]
RSA Console Server                                         [SHUTDOWN]
RSA Replication (Primary)                                  [SHUTDOWN]

rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv start all
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server:
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server          [RUNNING]   *****
RSA RADIUS Server Operations Console                       [FAILED]
Starting RSA Runtime Server: -



  • The following errors are present inside the /opt/rsa/am/server/logs/biztier.log and the /opt/rsa/am/server/logs/radiusoc.log files:


####<Jun 25, 2015 10:09:33 PM EDT> <Error> <Security> <am81p> <biztier> <[ACTIVE] ExecuteThread:
'0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1435284573908> <BEA-090870>
<The realm "rsa" failed to be loaded: weblogic.security.service.SecurityServiceException:
com.bea.common.engine.ServiceInitializationException:weblogic.security.spi.ProviderInitializationException:
A failure occurred attempting to load LDIF for provider Authorizer from file
/opt/rsa/am/appserver/weblogic/server/lib/XACMLAuthorizerInit.ldift..

weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException:
weblogic.security.spi.ProviderInitializationException:
A failure occurred attempting to load LDIF for provider Authorizer from file
/opt/rsa/am/appserver/weblogic/server/lib/XACMLAuthorizerInit.ldift.

    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:879)
    at weblogic.security.SecurityService.start(SecurityService.java:148)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

####<Jun 25, 2015 10:09:33 PM EDT> <Critical> <WebLogicServer> <am81p> <biztier>
<WrapperSimpleAppMain><<WLS Kernel>> <> <> <1435284573924> <BEA-000362> <Server failed. Reason: 

There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl....
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl....
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:148)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

>

Cause
  • The Microsoft CA server used to sign the Authentication Manager certificate was set up using a CAPolicy.inf file having the attribute AlternateSignatureAlgorithm=1.
  • When AlternateSignatureAlgorithm is set to 1, the CA server signs the certificate using RSASSA-PSS as the signature algorithm instead of sha1RSA.
  • Currently Authentication Manager 8.0 and 8.1 fully support only certificates with Signature algorithm sha1RSA and Signature hash algorithm sha1.
  • The screenshots below show an example of one certificate signed using RSASSA-PSS as the Signature algorithm (services fail after activating this certificate), and another certificate that has sha1RSA as the Signature algorithm (can be activated normally).
User-added image     User-added image
Resolution

  1. To resolve this issue, login to the Authentication Manager server via SSH or using the vSphere console and run the below commands to revert back to the default self-signed certificate:


    rsaadmin@am81p:~> /opt/rsa/am/utils/rsautil reset-server-cert
    Please enter OC Administrator username: ocadmin
    Please enter OC Administrator password: *********
    Are you sure that you want to reset the following server certificate as the default
    server certificate? Y/N
    CN=am81p.vcloud.local
    : y
    Server certificate successfully reset. Restart all AM services to complete the process.

    rsaadmin@am81p:~> /opt/rsa/am/utils/rsaserv restart all
    Stopping RSA RADIUS Server:
    RSA RADIUS Server                                          [SHUTDOWN]
    Stopping RSA Runtime Server:
    RSA Runtime Server                                         [SHUTDOWN]
    Stopping RSA Console Server:
    RSA Console Server                                         [SHUTDOWN]
    Stopping RSA Replication (Primary):
    RSA Replication (Primary)                                  [SHUTDOWN]
    Stopping RSA Database Server: *
    RSA Database Server                                        [SHUTDOWN]
    Stopping RSA RADIUS Server Operations Console:
    RSA RADIUS Server Operations Console                       [SHUTDOWN]
    Stopping RSA Administration Server with Operations Console: **
    RSA Administration Server with Operations Console          [SHUTDOWN]
    Starting RSA Administration Server with Operations Console:
    Starting RSA Database Server: *************
    RSA Administration Server with Operations Console          [RUNNING]
    Starting RSA RADIUS Server Operations Console: / RSA Database Server         [RUNNING]    *****
    RSA RADIUS Server Operations Console                       [RUNNING]
    Starting RSA Runtime Server: ***************************
    RSA Runtime Server                                         [RUNNING]
    Starting RSA RADIUS Server: **
    RSA RADIUS Server                                          [RUNNING]
    Starting RSA Console Server: *
    Starting RSA Replication (Primary): ***
    RSA Replication (Primary)                                  [RUNNING]*****************
    RSA Console Server                                         [RUNNING]
    rsaadmin@am81p:/opt/rsa/am/server>


  2. After reverting back to the default self-signed certificate, correct the issue with the Certificate Authority by doing the following steps:
    1. On the Microsoft Certificate Authority server, open the registry editor tool (Start Run regedit > Ok).
    2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\caname\CSP\.
    3. On the right panel, double click the key called AlternateSignatureAlgorithm. The value will be set to 1, change it to 0 then save the change.
    4. Now restart the Active Directory Certificate Services service by clicking Start > Administrative Tools > Services. Right click on Active Directory Certificate Services (CertSvc), then click Restart.
    5. Generate a new CSR and sign it again from the CA. It will now be sha1RSA instead of RSASSA-PSS and can be activated without any issues.
Notes
  • Any certificates that were already setup have to be re-issued if you want them to have a sha1RSA Signature Algorithm.
  • Microsoft support should be contacted if further assistance with the CA server settings is required. There are several ways to set the above value to 0 including editing the CAPolicy.inf file or running a PowerShell command.

Attachments

    Outcomes