|Applies To||Authentication Manager 7.1 SP2|
Customer Support Training module, CSTM videos on Cert replacement and other topics, copy and paste this link into your browser URL
|Issue||Security Console error: Page cannot be displayed"|
RSA Authentication Manager Service and RSA Authentication Manager Proxy Server Service won't stay running
proxy_server.log shows error: "<Certificate chain received from (servername - ipaddress) was not trusted causing SSL handshake failure.>"
<BEA-090870> <The realm "rsa" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: <2|true|0.9.7> kodo.jdo.FatalDataStoreException: error result.
|Cause||There is a problem with the replacement certificate chain. It can be caused by incorrect certificates, or not importing all certificates in the chain into the proper locations.|
First import all replacement certificates in the chain to a test Windows system (it shouldn't be the AM7.1 Server, or any critical system). Then open the Server certificate and check the Certification Path tab; the server certificate, root certificate (and ALL intermediate certificates, if any are used) must be in the chain, and not show any errors.
For each certificate in the chain, select the Details tab, and Show "critical extensions only" . Generally none should have any critical extensions. If any do, please see the limitations in the replacement procedure.
For each certificate in the chain, select the Details tab, and show "<All>" . Scroll down to the thumbprint and record the SHA1 checksum thumbprint.
On UNIX/Appliance you need to be the fileowner such as rsaadmin, go to the /utils directory, need to set environmental variables with
rsautil manage-ssl-certificate --list --keystore ..\server\security\root.jks -m (MasterPW) --storepass (com.rsa.root.store password) > rootstoreinfo.txt
rsautil manage-ssl-certificate --list --keystore ..\server\security\(hostname).jks -m (MasterPW) --storepass (com.rsa.identity.store password) > serverstoreinfo.txt
rsautil manage-ssl-certificate --list --keystore ..\appserver\jdk\jre\lib\security\cacerts -m (MasterPW) --storepass changeit > jdkstore.txt
. ./rsaenv (notice this starts with dot-space-dot-slash)
./rsautil manage-ssl-certificate --list --keystore ../server/security/root.jks -m (MasterPW) --storepass (com.rsa.root.store password) > rootstoreinfo.txt
./rsautil manage-ssl-certificate --list --keystore ../server/security/(hostname).jks -m (MasterPW) --storepass (com.rsa.identity.store password) > serverstoreinfo.txt
./rsautil manage-ssl-certificate --list --keystore ../appserver/jdk/jre/lib/security/cacerts -m (MasterPW) --storepass changeit > jdkstore.txt
Replace (MasterPW) with the Master Password, (com.rsa.root.store password) with the root certificate keystore password, and (com.rsa.identity.store password) with the Identity Certificate Keystore Password. The server keystore needs to have ALL of the certificates in the chain, the root keystore needs all certificates in the chain, except the Server certificate. Verify the SHA1 sums for the new certificates are the same as obtained on the test system. There will also be other certificates in the stores, this is normal.
If any certificates are missing, they will need to be added.
|Legacy Article ID||a50058|