000011590 - A Supported Web Browser Reports A Message When Accessing RSA Authentication Manager Console 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000011590
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1 or later
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
IssueSupported web browsers report messages when accessing either the Security Console or the Operations Console or the Self-Service Console.
Microsoft Internet Explorer reports "There is a problem with this website's security certificate."
Example:
User-added image
Google Chrome reports "Your connection is not private"
Example:
User-added image
Mozilla Firefox reports "Your connection is not secure"
Example:
User-added image
 
CauseThe Trusted Root Certification Authorities store of the Microsoft Windows workstation or server where the web browser is being used to access the Authentication Manager portals (Security Console, Operations Console & Self-Service Console) does not have the root CA certificate generated by the authentication manager instance during deployment.
Resolution

Customers can replace the self-signed certificate created during the deployment of RSA Authentication Manager 8.1 software to remove the message presented in the web browser when accessing the Security Console, Operations Console or Self-Service Console. Instructions are provided in a section called Certificate Management for Secure Sockets Layer (starting page 172) found in the RSA Authentication Manager 8.1 Administrator’s Guide (revision 1).
Alternatively an administrator can add the authentication manager root CA certificate to the Trusted Root Certification Authorities store to avoid the web browser reporting the message.
Steps:


  1. Access either the Operations Console or Security Console with a web browser (using Google Chrome for this example)
Example:
User-added image
click the padlock with the small red cross

  1. The administrator is presented with the option to view the certification
Example:
User-added image
click Certificate information link

  1. The server certificate is displayed.
User-added image

  1. Click the Certificate Path tab and select the RSA root CA certificate.
Now click View Certificate.
User-added image

  1. After viewing the RSA root CA certificate click the Details tab.
Click Copy to File… button so save the certificate to a file.
User-added image
User-added image
Click Next > button
User-added image
select a format you want to use (leaving the default for this example) and click Next > button
User-added image
Enter a filename and click the Next > button
User-added image
Click Finish button
User-added image

  1. In Windows explorer double-click the C:\RSA_root_CA.cer and the RSA root CA certificate is displayed
User-added image
Clicking the Install Certificate… button will enable the trust of the authentication manager root CA certificate in the Trusted Root Certification Authorities store.


Alternative access to the authentication manager root CA certificate
RSA Authentication Manager 8.1 uses JKS files to store certificates in the /opt/rsa/am/server/security folder.
 
Listing of the password protected JKS files in /opt/rsa/am/server/security folder:


rsaadmin@am81p:/opt/rsa/am/server/security> ls -l *.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4136 Dec  6  2013 biztier-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 3197 Dec  6  2013 caStore.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4153 Dec  6  2013 console-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 2912 Dec  6  2013 trust.jks
-rw-r--r-- 1 rsaadmin rsaadmin 7295 Dec  6  2013 webserver-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4152 Dec  6  2013 webserver-inactive.jks
rsaadmin@am81p:/opt/rsa/am/server/security>

The authentication manager root CA certificate is stored in the caStore.jks file.


  1. Listing the contents of the caStore.jks file would be done with the command : /opt/rsa/am/appserver/jdk/bin/keytool -export -keystore /opt/rsa/am/server/security/caStore.jks
  2. Exporting rsa-am-ca from the caStore.jks is done with the command: /opt/rsa/am/appserver/jdk/bin/keytool -export -alias rsa-am-ca -file rsa-am-ca.crt -keystore /opt/rsa/am/server/security/caStore.jks
NOTE: Viewing the contents or exporting data from caStore.jks will require the Root Certificate Keystore File Password (found by running ./rsautil manage-secrets –a listall from the /opt/rsa/am/utils folder)

  1. Use a secure FTP client (where SSH access to the operating system has been enabled via the Operations Console) to copy the rsa-am-ca.crt file from the authentication manager instance.
NotesManage Trusted Root Certificates - URL https://technet.microsoft.com/en-us/library/cc754841.aspx
Legacy Article IDa38690

Attachments

    Outcomes