000015329 - AM7.1 SP2 certificate replacement - service restart fails

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015329
Applies ToAuthentication Manager 7.1 SP2
Customer Support Training module, CSTM videos on Cert replacement and other topics, copy and paste this link into your browser URL
IssueSecurity Console error: Page cannot be displayed"
RSA Authentication Manager Service and RSA Authentication Manager Proxy Server Service won't stay running

proxy_server.log shows error: "<Certificate chain received from (servername - ipaddress) was not trusted causing SSL handshake failure.>"

<BEA-090870> <The realm "rsa" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: <2|true|0.9.7> kodo.jdo.FatalDataStoreException: error result.
CauseThere is a problem with the replacement certificate chain. It can be caused by incorrect certificates, or not importing all certificates in the chain into the proper locations.

First import all replacement certificates in the chain to a test Windows system (it shouldn't be the AM7.1 Server, or any critical system). Then open the Server certificate and check the Certification Path tab; the server certificate,  root certificate (and ALL intermediate certificates, if any are used) must be in the chain, and not show any errors.

For each certificate in the chain, select the Details tab, and Show "critical extensions only" . Generally none should have any critical extensions. If any do, please see the limitations in the replacement procedure.

For each certificate in the chain, select the Details tab, and show "<All>" . Scroll down to the thumbprint and record the SHA1 checksum thumbprint.


On UNIX/Appliance you need to be the fileowner such as rsaadmin, go to the /utils directory,  need to set environmental variables with  
. ./rsaenv     (starts with dot-space-dot-slash)     
 and use ./ (dot-slash) in front of the commands. 
On Windows, you need to be logged in as the administrator who installed the software, and go to the \utils directory. On the RSA Server, if you have not already retrieved the Identity Certificate Keystore Password ( com.rsa.identity.store ) and the Root certificate Keystore Password ( com.rsa.root.store ) , as per the procedure in the certificate Replacement procedure, you will need to do so before running the following commands from the \utils directory:   

On Windows:  

rsautil manage-ssl-certificate --list --keystore ..\server\security\root.jks -m (MasterPW) --storepass (com.rsa.root.store password)  > rootstoreinfo.txt


rsautil manage-ssl-certificate --list --keystore ..\server\security\(hostname).jks -m (MasterPW) --storepass (com.rsa.identity.store password)  > serverstoreinfo.txt


rsautil manage-ssl-certificate --list --keystore ..\appserver\jdk\jre\lib\security\cacerts -m (MasterPW) --storepass changeit   > jdkstore.txt 



On UNIX/Appliance:   

. ./rsaenv    (notice this starts with dot-space-dot-slash) 

./rsautil manage-ssl-certificate --list --keystore ../server/security/root.jks -m (MasterPW) --storepass (com.rsa.root.store password)  > rootstoreinfo.txt


./rsautil manage-ssl-certificate --list --keystore ../server/security/(hostname).jks -m (MasterPW) --storepass (com.rsa.identity.store password)  > serverstoreinfo.txt


./rsautil manage-ssl-certificate --list --keystore ../appserver/jdk/jre/lib/security/cacerts -m (MasterPW) --storepass changeit   > jdkstore.txt 


Replace (MasterPW) with the Master Password, (com.rsa.root.store password)   with the root certificate keystore password, and (com.rsa.identity.store password) with the Identity Certificate Keystore Password. The server keystore needs to have ALL of the certificates in the chain, the root keystore needs all certificates in the chain, except the Server certificate. Verify the SHA1 sums for the new certificates are the same as obtained on the test system.  There will also be other certificates in the stores, this is normal.




If any certificates are missing, they will need to be added.





Legacy Article IDa50058