Customers can replace the self-signed certificate created during the deployment of RSA Authentication Manager 8.1 software to remove the message presented in the web browser when accessing the Security Console, Operations Console or Self-Service Console. Instructions are provided in a section called Certificate Management for Secure Sockets Layer found in the RSA Authentication Manager 8.1 Administrator’s Guide (revision 1).
Alternatively, an administrator can add the Authentication Manager root CA certificate to the Trusted Root Certification Authorities store to avoid the web browser reporting the message.
- Access either the Operations Console or Security Console with a web browser (Google Chrome is used for this example).
- Click the padlock with the small red cross.
- The administrator is presented with the option to view the certificate:
- Click the Certificate information link.
- The server certificate is displayed.
- Click the Certificate Path tab and select the RSA root CA certificate.
- Now click View Certificate.
- After viewing the RSA root CA certificate click the Details tab.
- Click the Copy to File… button to save the certificate to a file.
- Click Next >.
- Select a format you want to use and click Next > button (we left the default in the example below).
- Enter a filename and click Next >.
- Click Finish.
- In Windows Explorer double-click the C:\RSA_root_CA.cer and the RSA root CA certificate is displayed
- Clicking the Install Certificate… button will enable the trust of the Authentication Manager root CA certificate in the Trusted Root Certification Authorities store.
Alternative access to the Authentication Manager root CA certificate
RSA Authentication Manager 8.1 uses JKS files to store certificates in /opt/rsa/am/server/security.
Listing of the password protected JKS files in /opt/rsa/am/server/security directory:
rsaadmin@am81p:/opt/rsa/am/server/security> ls -l *.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4136 Dec 6 2013 biztier-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 3197 Dec 6 2013 caStore.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4153 Dec 6 2013 console-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 2912 Dec 6 2013 trust.jks
-rw-r--r-- 1 rsaadmin rsaadmin 7295 Dec 6 2013 webserver-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4152 Dec 6 2013 webserver-inactive.jks
The Authentication Manager root CA certificate is stored in the caStore.jks file.
- Listing the contents of the caStore.jks file would be done with the command:
/opt/rsa/am/appserver/jdk/bin/keytool -export -keystore /opt/rsa/am/server/security/caStore.jks
- Exporting rsa-am-ca from the caStore.jks is done with the command:
/opt/rsa/am/appserver/jdk/bin/keytool -export -alias rsa-am-ca -file rsa-am-ca.crt -keystore /opt/rsa/am/server/security/caStore.jks
NOTE: Viewing the contents or exporting data from caStore.jks will require the Root Certificate Keystore File Password found by running ./rsautil manage-secrets –a listall from /opt/rsa/am/utils.
- Use a secure FTP client where SSH access to the operating system has been enabled via the Operations Console to copy the rsa-am-ca.crt file from the Authentication Manager instance.