000012339 - Unable to upgrade RSA Certificate Manager from 6.0.2 to 6.8 due to missing CMP Server in 6.0.2

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012339
Applies ToRSA Keon Certificate Authority 6.0.2
RSA Certificate Manager 6.8
IssueUnable to upgrade RSA Certificate Manager from 6.0.2 to 6.8 due to missing CMP Server in 6.0.2
package.tar is created successfully in the first phase of upgrade, except that there are no files under CmpServer directory in package.tar
There is no CmpServer folder (or CMP Server) in the Keon Certificate Authority 6.0.2 installation being upgraded
Second phase of the upgrade fails with the following output when running ./INSTALL using package.tar:

<...snip...>
=====================
Entered input values:
=====================
Webmaster E-mail Address:               administrator@someorg.domain.net
User the server will run as:             nobody
Group the server will run as:            nobody
Name of Server Host (FQDN):              rcmhost.domain.net
Administrator Server Port:               444
Enrollment Server Port:                  443
Certificate Renewal Server Port:         448
SCEP Server Port:                        446
CRL Server Port:                         447
CMP Server Port:                         829
Secure Directory (SSL-LDAP) Server Port: 636
Directory (LDAP) Server Port:            389
Logging Server Port:                     5150
SMTP Server Host:                        mail
SMTP Server Port:                        25
=====================
Are all the above values correct? (y/[n]): y

Configuring Secure Directory Server...
Indexing database...
This may take a while. Please be patient.
.........................
<..snip...>
.........................(WARNING) ldbm backend configuration [../conf/xudad.conf:167]:
Unknown directive "crltimer" (ignored)
../conf/xudad.conf: line 167: unknown directive "crltimer" in ldbm database definition (ignored)
....
Configuring CMP server...
unable to read certificate file [XrcBADSOURCE]: /app/RSA_CM/CmpServer/ssl/certs/cmp.cert
*** Upgrade install failed.
CauseCMP Server component of Keon Certificate Authority was removed from the installation being upgraded, as it was not a requirement.
ResolutionThis scenario (missing CMP Server component) is under review for a possible fix in a future version of RSA Certificate Manager upgrader.

In the mean time, the following steps can be used to workaround the problem and complete the upgrade:

1. Create the following folders under Keon Certificate Authority (KCA) 6.0.2 being upgraded:
      CmpServer/conf
      CmpServer/ssl/certs
      CmpServer/ssl/private
2. Copy CmpServer/conf/* from another KCA 6.0.2/6.5.1 installation in a lab or test environment to the KCA 6.0.2 being upgraded
3. Copy .cert/.key files from WebServer directory to CmpServer directory in KCA 6.0.2 as follows:
       - copy WebServer/ssl/certs/admin.cert  to CmpServer/ssl/certs/cmp.cert
       - copy WebServer/ssl/private/admin.key to CmpServer/ssl/private/cmp.key
4. Update CmpServer/conf/cmp.conf and CmpServer/conf/icmpserver.conf to use correct port/paths/md5
5. On Solaris, use "chown -R root:other CmpServer" to set correct ownership on the new files
6. Run the upgrader on KCA 6.0.2 again to produce a new package.tar (follow RCM installation guide for upgrade steps)
7. Upgrade with the new package.tar

Note that post-upgrade, new cmp.cert and cmp.key files should be generated so copies of admin.cert/admin.key are not used with the upgraded CMP Server. One way to generate those files is to use OneStep's setupSSL tool.  LDAP ACLs must be updated manually to allow appropriate access to the new CMP Server certificate.  Contact RSA Customer Support to get assistance with these steps.
NotesCERTMGR-3753
Legacy Article IDa50238

Attachments

    Outcomes