000022875 - Upgrade from Keon Certificate Authority 6.5.1 to RSA Certificate Manager 6.6 fails

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022875
Applies ToKeon Certificate Authority 6.5.1
RSA Certificate Manager 6.6
Sun Solaris 2.9
IssueUpgrade from Keon Certificate Authority 6.5.1 to RSA Certificate Manager 6.6 fails
When upgrading from Keon Certificate Authority to RSA Certificate Manager 6.6, the following error appears:

Configuring Secure Directory Server...
Indexing database...
This may take a while. Please be patient.
...................................................
confirmXudadStartup: Failed to confirm Xudad start up

*** Upgrade install failed.
The file WebServer/conf/httpd.conf have been modified to point to different certificate and key files :

# SSLCertificateKeyFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/private/enrollServer.key"
SSLCertificateKeyFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/new/key.pem

# SSLCertificateFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/certs/enrollServer.cert"
SSLCertificateFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/new/cert.pem

# SSLCertificateKeyFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/private/adminServer.key"
SSLCertificateKeyFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/new/key.pem

# SSLCertificateFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/certs/adminServer.cert"
SSLCertificateFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/new/cert.pem
When running the upgrader, the following lines are not displayed when asked to provide the ports to use.

Type the old Admin Server Port
Choices are 443 [444] 448 446 447 80:

Type the old Enroll Server Port
Choices are [443] 444 448 446 447 80:
CauseThe cause of this issue was that the file WebServer/conf/httpd.conf was modified so that SSLCertificateKeyFile and SSLCertificateFile of the Administration and Enrollment servers would point to the same files, changing their default values. The Upgrader process is made to copy only files it already knows and needs. When the upgrade package is created, it will not look in custom folders, so certificates or keys in the WebServer/ssl/new folder will not be included in the upgrade package.
ResolutionTo validate you are experiencing this issue, check if you see the lines highlighted in red below when upgrading from Keon Certificate Authority 6.5.1 to RSA Certificate Manager 6.6:

----------------------------
...
The upgrade process needs to verify that we know 

which port is associated with known virtual hosts.

You will be offered an opportunity to verify this.

As you are prompted for each of the hosts (admin,

enroll, renewal, scep, crl), please verify that the host selected

is the correct one.  If it is not, please select the

correct one by typing it the port value:

 

Type the old  Admin Server Port

Choices are 443 [444] 448 446 447 80:

 

Type the old Enroll Server Port

Choices are [443] 444 448 446 447 80:

 

Type the old Certificate Renewal Server Port

Choices are 443 444 [448] 446 447 80:

 

Type the old SCEP Server Port

Choices are 443 444 448 [446] 447 80:

 

Type the old CRL Server Port

Choices are 443 444 448 446 [447] 80:
...

----------------------------

If the above red lines do not appear, it is likely that you are experiencing this issue.

Before upgrading, correct the file WebServer/conf/httpd.conf so that the parameters are configured to point to the original location of the certificates and keys:

SSLCertificateKeyFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/private/enrollServer.key"
SSLCertificateFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/certs/enrollServer.cert"
SSLCertificateKeyFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/private/adminServer.key"
SSLCertificateFile "/opt/KeonCA_6.5.1/RSA_KeonCA/WebServer/ssl/certs/adminServer.cert"

Copy your existing certificates and keys to the proper location and restart KCA to ensure the configuration is correct. Once the file is corrected, re-generate the upgrade package.
Legacy Article IDa31357

Attachments

    Outcomes