000030631 - How to delete the RSA Authentication Manager 8.1 virtual host Certificate Signing Requests (CSR) which show Pending or Inactive status

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030631
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
IssueA virtual host Certificate Signing Request (CSR) was created using the Virtual Host Certificate Management in the primary Authentication Manager's Operations Console and left in either a pending or inactive status.
Resolution
  1. Login to the RSA Authentication Manager 8.1 primary's Operations Console.
  2. Navigate to Deployment Configuration > Certificates > Virtual Host Certificate Management.
User-added image 

  1. In Virtual Host Certificate Management, there exists the Virtual Host Certificate Signing Requests (CSR), which was imported and showing a status of either Pending or Inactive.
 

Remove the Pending or Inactive virtual host CSR


  1. SSH to the primary Authentication Manager server or connect to it directly with a monitor and keyboard.
  2. Login as rsaadmin with the operating system password.
  3. To remove the Virtual Host CSR aliases from /opt/rsa/am/server/security/vh-inactive.jks, the administrator will require the SSL Server Identity Certificate Keystore File Password.  This can be obtained using the command  ./rsautil manage-secrets -a list com.rsa.signing.key in the /opt/rsa/am/utils directory.  For example,
cd /opt/rsa/am/utils
./rsautil manage-secrets -a list com.rsa.signing.key

Please enter OC Administrator username: <enter the Operations Console administrator user name>
Please enter OC Administrator password: <enter the Operations Console administrator password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_9uwbaoze
Command API Client User Password ......................: N04vujpJYzkePDn0vf0zjnu2NmEJ1f
SSL Server Identity Certificate Private Key Password ..: jkN1075giQ9IIFD8Pg6uVq4BGFB9yU
SSL Server Identity Certificate Keystore File Password : g972SpITERSGMtYCZWevKd4UTVuZUw
Root Certificate Private Key Password .................: rSl0jKaSPUFww2fb0KVfJdbUIFwQK3
Root Certificate Keystore File Password ...............: Rg10rVYLQW8fNHEdMxbgucWlMQ1mAX
The "listkeys" action displays the key names to use when setting the values.
rsaadmin@srhw8018:/opt/rsa/am/utils>

  1. Before continuing, backup the vh-inactive.jks file before making changes.  Virtual host CSRs that are left in a pending state reside in /opt/rsa/am/server/security/vh-inactive.jks.
  2. Navigate to /opt/rsa/am/server/security and make a copy of the vh-inactive.jks file.
cd /opt/rsa/am/server/security
cp vh-inactive.jks vh-inactive.jks.BAK
ls -l
total 124
-rw-r--r-- 1 rsaadmin rsaadmin  4156 Mar 19 11:10 biztier-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin   444 Mar 11 13:33 boot.properties
-rw-r--r-- 1 rsaadmin rsaadmin  3215 Mar 11 13:33 caStore.jks
-rw-r--r-- 1 rsaadmin rsaadmin  4171 Mar 11 13:33 console-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin  4097 Mar 11 13:33 DefaultAuthenticatorInit.ldift
-rw-r--r-- 1 rsaadmin rsaadmin  2398 Mar 11 13:33 DefaultRoleMapperInit.ldift
-rw-r--r-- 1 rsaadmin rsaadmin    64 Mar 11 13:33 SerializedSystemIni.dat
-rw-r--r-- 1 rsaadmin rsaadmin  4906 Apr 28 15:07 trust.jks
-rw------- 1 rsaadmin rsaadmin  1084 May  4 13:36 VHCertRequest-Webtier.csr
-rw------- 1 rsaadmin rsaadmin  4151 Apr 28 14:48 vh-identity.jks
-rw------- 1 rsaadmin rsaadmin  7588 May  4 13:54 vh-inactive.jks
-rw------- 1 rsaadmin rsaadmin  7588 Jun 23 10:13 vh-inactive.jks.BAK
-rw------- 1 rsaadmin rsaadmin  7327 Mar 19 11:10 webserver-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin  4172 Mar 19 11:10 webserver-inactive.jks
-rw------- 1 rsaadmin rsaadmin  7312 Apr 28 15:06 webtier-identity-rba.jks
-rw-r--r-- 1 rsaadmin rsaadmin 22654 Mar 11 13:33 XACMLRoleMapperInit.ldift


List the contents of the keystore through the keytool utility


To list the contents of the file using the keytool utility at the command line to confirm the alias you want to delete, run the following command:
/opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password captured above>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
webtier, May 4, 2015, PrivateKeyEntry,
Certificate fingerprint (MD5): BA:9F:FD:91:DA:22:E3:35:75:A7:9B:C0:62:E7:04:52
rsa-am-ca, Apr 28, 2015, trustedCertEntry,
Certificate fingerprint (MD5): 70:01:3C:ED:74:27:9C:BF:CE:FE:48:19:8C:2F:91:86
virtualhost-id-key, Apr 28, 2015, PrivateKeyEntry,
Certificate fingerprint (MD5): ED:D4:64:57:30:5D:60:1F:6F:5D:40:56:46:32:F3:77
a3ce4d08120510ac1f349ff8664cdfa0-signing-ca, May 4, 2015, trustedCertEntry,
Certificate fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12

Note: The vh-inactive.jks file contains four entries. In this example the alias “webtier” is a pending entry. The other three entries are the defaults.
 

To delete any unwanted alias from the keystore


  1. To delete the unwanted alias shown in the example, an administrator can use the keytool utility at the command line.  For example,
/opt/rsa/am/appserver/jdk/jre/bin/keytool -delete -alias webtier -keystore /opt/rsa/am/server/security/vh-inactive.jks
Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password captured above>
/opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password captured above>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
virtualhost-id-key, Apr 28, 2015, PrivateKeyEntry,
Certificate fingerprint (MD5): ED:D4:64:57:30:5D:60:1F:6F:5D:40:56:46:32:F3:77
rsa-am-ca, Apr 28, 2015, trustedCertEntry,
Certificate fingerprint (MD5): 70:01:3C:ED:74:27:9C:BF:CE:FE:48:19:8C:2F:91:86
a3ce4d08120510ac1f349ff8664cdfa0-signing-ca, May 4, 2015, trustedCertEntry,
Certificate fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
rsaadmin@srhw8018:/opt/rsa/am>

  1. Go back to the primary's Authentication Manager 8.1 Operations Console and select Deployment Configuration > Certificates > Virtual Host Certificate Management to see that the Pending or Inactive certificate has been removed

Attachments

    Outcomes