000014468 - How to install and factory reset an RSA SecurID Appliance 3.0 running SP2 or earlier to SP4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Jul 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000014468
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 3.0 SP2 and earlier
 
IssueUnable to complete quick setup for the RSA SecurID Appliance after a factory reset with the following exception:
 
Caused by: com.rsa.certj.cert.CertificateException: Cannot set the validity with the given dates.
     at com.rsa.certj.cert.X509Certificate.setValidity (X509Certificate.java:1627)
     at com.rsa.certj.cert.X509Certificate.setValidityBER (X509Certificate.java:1590)
     at com.rsa.certj.cert.X509Certificate.setInnerDER (X509Certificate.java:768)
     at com.rsa.certj.cert.X509Certificate.setCertBER (X509Certificate.java:429)
     at com.rsa.certj.cert.X509Certificate.<init> (X509Certificate.java:328)
     at com.rsa.certj.cert.X509Certificate.<init> (X509Certificate.java:306)
     at com.rsa.installfwrk.common.security.CertAuthority.convertCertificate (CertAuthority.java:460)
     at com.rsa.installfwrk.common.security.CertAuthority.getCA (CertAuthority.java:676)
     at com.rsa.installfwrk.common.security.CertAuthority.createAndSignCert (CertAuthority.java:153)
     at com.rsa.installfwrk.common.utils.CreateCerts.createCert (CreateCerts.java:73)
     at com.rsa.installfwrk.common.command.CreateCertsCmd.createCerts(CreateCertsCmd.java:32)
     at com.rsa.installfwrk.common.command.CreateCertsCmd.execute (CreateCertsCmd.java:23)
... 3 more
Resolution

Here are the steps, broken into three sections: 


  1. Pre work.
  2. Factory reset to install SP4.
  3. Factory reset onto SP4.
Before continuing take a backup of the current system and note all passwords (emcsrv, master password and admin passwords for the Operations Console and Security Console)  You will not be able to restore the backup  to the new server if the passwords do not match exactly..

I.  PRE WORK


  1. Before you begin, secure the following equipment: a laptop, crossover cable, keyboard and monitor, factory reset .iso download (link provided below), RSA SecurID Appliance 3.0 license file
  2. You must also determine the type of appliance chassis you have before you download the factory reset image.  There are two images for the 130, and 2 for the 250, it is imperative you select the right image for not only the appliance type, but the chassis type.
    1. To determine the hardware model, from the keyboard and monitor, login to your appliance as emcsrv.
    2. NOTE: The default password before factory reset is complete is dangerous all inlower case.
    3. At the ssh prompt, type omreport chassis info.
    4. Review the output for the Chassis Model.  In the example below it is R200.  Be sure to download the factory reset patch for the model shown on your screen.
omreport chassis info
Index                                    : 0
Chassis Name                             : Main System Chassis
Host Name                                : cs-appliance3.na.rsa.net
BMC Version                              : 1.79
Chassis Model                            : PowerEdge R200
Chassis Lock                             : Present
Chassis Service Tag                      : F6JJRJ1
Chassis Asset Tag                        :
Flash chassis identify LED state         : Off
Flash chassis identify LED timeout value : 300

 
  1. Download the proper SecurID Appliance Factory Reset Patch and readme.
  2. Be certain to check the MD5 sum to insure the download is correct.  This is a particularly important step, as if the image download is incorrect, you will not be able to install it.  The MD5 sums are provided on the same link as the download.  Take the extra time to check the MD5 sum after you download it. 

 


II.  FACTORY RESET AND INSTALL THE NEW FACTORY RESET IMAGE


You will be backdating pre-certificate expiration date to install the new factory reset image for sp4 and performing the first of two factory resets and quick setups:


  1. From a monitor and a keyboard attached to the soon to be new primary (old replica), we have to backdate the system clock to a date before Dec 31, 2009.  Login from the monitor/keyboard as emcsrv, then become root by typing
sudo su -

  1. Due to expired certificates, change the system date in MM/DD/YYYY format from the command line to a date prior to 31 December 2009, such as:
date -s "12/01/2009 00:00:00"

  1. Reboot the machine by typing:
/sbin/shutdown -r now

  1. Be sure to be in front of the monitor/keyboard (or on a KVM if accessing the console remotely), as during the boot sequence you will have about 10 seconds to select Factory Reset from the boot menu.  If you do not catch it in time, you will have to reboot again by following steps 1 - 3 again.
  2. Complete the factory reset off the pre-SP2 image currently loaded with the back dated system clock.
  3. Complete Quick Setup per the attached quick setup guide.
  4. Insert the SP4 factory reset image into the CD-ROM drive or insert a thumb drive with the factory reset image.
  5. Browse to the Operations Console of the primary and login with the credentials established during Quick Setup.  The URL will be https://<fqdn>:7072/operations-console.  NOTE: if the host FQDN is not in DNS, you may need to add the IP address, FDQN, shortname and hostname to the local hosts file on the laptop you are using to connect to the appliance.  You local hosts file will be in C:\Windows\System32\drivers\etc.  The format is standard as in any hosts file, i.e.
IP address   fqdn  shortname

For example, 


192.168.131.196    myhostname.mydomain.com  myhostname

 


  1. Click on Maintenance Manage Updates >Scan for updates.
  2. If your .iso is good, it should find it, and when it does, click Install update when prompted.
  3. Wait for completion.

 


III.  FACTORY RESET AND QUICK SETUP OFF THE SP4 IMAGE


Now, you will perform a second factory reset off the SP4 image and create the primary for actual use.


  1. Reset the system time to today's date. From the monitor, login again as emcsrv then become root
sudo su -

  1. Reset the system clock to todays date and time, replacing the values for the current date (MM/DD/YYYY) and time (HH:MM:SS).
date -s "09/20/2011 11:45:00"

  1. Issue a reboot and watch for the factory reset again
/sbin/shutdown -r  now

  1. Complete the factory reset again.
  2. Complete Quick Setup again as a primary. 
  3. Once you complete Quick Setup, you will be on 3.0.4.10, which is Service Pack 4.
 
Legacy Article IDa55992

Attachments

    Outcomes