000011590 - Supported web browsers report an error message when accessing RSA Authentication Manager 8.1 Security Console or Operations Console

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 4, 2019
Version 24Show Document
  • View in full screen mode

Article Content

Article Number000011590
Applies ToRSA Product Set: SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1 or later
IssueSupported web browsers report messages when accessing either the Security Console or the Operations Console or the Self-Service Console.

Microsoft Internet Explorer reports "There is a problem with this website's security certificate."
 
User-added image


Google Chrome reports "Your connection is not private."
 
User-added image


Mozilla Firefox reports "Your connection is not secure"
User-added image
CauseThe Trusted Root Certification Authorities store of the Microsoft Windows workstation or server where the web browser is being used to access the Authentication Manager portals (Security Console, Operations Console and Self-Service Console) does not have the root CA certificate generated by the Authentication Manager instance during deployment.
Resolution

Customers can replace the self-signed certificate created during the deployment of RSA Authentication Manager 8.1 software to remove the message presented in the web browser when accessing the Security Console, Operations Console or Self-Service Console. Instructions are provided in a section called Certificate Management for Secure Sockets Layer found in the RSA Authentication Manager 8.1 Administrator’s Guide (revision 1).

Alternatively, an administrator can add the Authentication Manager root CA certificate to the Trusted Root Certification Authorities store to avoid the web browser reporting the message.



Steps



  1. Access either the Operations Console or Security Console with a web browser (Google Chrome is used for this example).
  2. Click the padlock with the small red cross.

User-added image


  1. The administrator is presented with the option to view the certificate:

User-added image


  1. Click the Certificate information link.
  2. The server certificate is displayed.

User-added image


  1. Click the Certificate Path tab and select the RSA root CA certificate.
  2. Now click View Certificate.

User-added image


  1. After viewing the RSA root CA certificate click the Details tab.
  2. Click the Copy to File… button to save the certificate to a file.

User-added image

User-added image


  1. Click Next >.

 


User-added image


 


  1. Select a format you want to use and click Next > button (we left the default in the example below).

User-added image


  1. Enter a filename and click Next >.

User-added image


  1. Click Finish.

User-added image


  1. In Windows Explorer double-click the C:\RSA_root_CA.cer and the RSA root CA certificate is displayed

User-added image


 


  1. Clicking the Install Certificate… button will enable the trust of the Authentication Manager root CA certificate in the Trusted Root Certification Authorities store.

 




Alternative access to the Authentication Manager root CA certificate



RSA Authentication Manager 8.1 uses JKS files to store certificates in /opt/rsa/am/server/security.
 
Listing of the password protected JKS files in /opt/rsa/am/server/security directory:




rsaadmin@am81p:/opt/rsa/am/server/security> ls -l *.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4136 Dec  6  2013 biztier-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 3197 Dec  6  2013 caStore.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4153 Dec  6  2013 console-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 2912 Dec  6  2013 trust.jks
-rw-r--r-- 1 rsaadmin rsaadmin 7295 Dec  6  2013 webserver-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4152 Dec  6  2013 webserver-inactive.jks
rsaadmin@am81p:/opt/rsa/am/server/security>


The Authentication Manager root CA certificate is stored in the caStore.jks file.



  1. Listing the contents of the caStore.jks file would be done with the command:


/opt/rsa/am/appserver/jdk/bin/keytool -export -keystore /opt/rsa/am/server/security/caStore.jks


  1. Exporting rsa-am-ca from the caStore.jks is done with the command:


/opt/rsa/am/appserver/jdk/bin/keytool -export -alias rsa-am-ca -file rsa-am-ca.crt -keystore /opt/rsa/am/server/security/caStore.jks



NOTE: Viewing the contents or exporting data from caStore.jks will require the Root Certificate Keystore File Password found by running ./rsautil manage-secrets –a listall from /opt/rsa/am/utils.



  1. Use a secure FTP client where SSH access to the operating system has been enabled via the Operations Console to copy the rsa-am-ca.crt file from the Authentication Manager instance.
NotesFor more information, see Microsoft TechNet article on Manage Trusted Root Certificates.
Legacy Article IDa38690

Attachments

    Outcomes