Article Content
Article Number | 000030477 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics UI, Security Analytics Server RSA Version/Condition: 10.4.0.2 through 10.6.6.1 Platform: CentOS O/S Version: EL6 |
Issue | This procedure may be used when the obfuscated password(s) used by the jetty-ssl.xml file when adding 3rd party certificates to the Jetty keystore has been lost. This procedure may also be used if a Jetty keystore becomes corrupted for any reason. |
Cause | There are 3 different credentials that a Java certificate keystore uses to unlock, establish and verify an SSL connection: trustStore, keyManager and keyStore credentials. In the SSL handshake, the trustStore credential is used by the "TrustManager". The "TrustManager" determines whether the remote connection should be trusted or not. The keyStore credential is used by the "KeyManager". The "KeyManager" decides exactly which credentials are to be sent for authentication during the SSL handshake. The keyStore password is the actual password that unlocks the keyStore itself. These 3 passwords are represented in the /opt/rsa/jetty9/etc/jetty-ssl.xml as follows (noting the actual password hash is represented by the series of "X"s in the sample below)
|
Resolution | Before beginning, if you do not have a backup copy of the default jetty-ssl.xml file from the Security Analytics server, download a default copy from the attachments section of this article. Then, sftp the default XML file to the /tmp directory of the Security Analytics server. Once you have a default copy of the XML file, ssh to the Security Analytics server as root and perform the following steps:
|
Notes | If you are on version 10.6.1 or later and another generated certificate has been applied then puppet will keep changing /opt/rsa/jetty9/etc/jetty-ssl.xml back to the previously generated certificate configuration. To prevent puppet from changing back to the previously configured certificate you need to modify the configuration in /etc/puppet/hieradata/common.yaml and set jetty_custom_certificate_enabled from true to false. In case the first method does not work, another way to perform this is by setting /opt/rsa/jetty9/etc/jetty-ssl.xml to immutable so that the puppet cannot revert the certificate in the file: chattr +i /opt/rsa/jetty9/etc/jetty-ssl.xml But, if this is performed and when or if you need to modify the certificate to a custom certificate you should revert the immutable settings with: chattr -i /opt/rsa/jetty9/etc/jetty-ssl.xml |