000029187 - Custom SSL certificate on web interface is removed after upgrading to RSA Security Analytics 10.4.0.2 or above

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029187
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Security Analytics UI
RSA Version/Condition: 10.4.0.2, 10.4.1.x, 10.5.x
Platform: CentOS
O/S Version: EL6
 
IssueAfter upgrading to RSA Security Analytics 10.4.0.2, the public CA certificate that was installed at a previous version following the instructions in the knowledgebase article 26817 no longer appears to be present.
When navigating to the Security Analytics user interface, it once again shows invalid HTTPS connection with the message:  "The identity of this website has not been verified."
"Identity not verified" message when looking at the certificate in Chrome.
CauseIn order to resolve some FIPS-related issues within Security Analytics, version 10.4.0.2 includes a Puppet module that changes the Jetty 9 web server keystore path from /opt/rsa/jetty9/etc/keystore to /opt/rsa/carlos/keystore, which is the default puppet keystore.
This forces the Puppet CA certificate to be used for the user interface.
This can be verified by looking at the Certificate Information from the web browser, which will display information similar to the example below.
Certificate Information dialog box showing Puppet CA as the issuer.
ResolutionThis issue will be addressed in Security Analytics 10.5, at which point it will be possible to import a custom CA certificate chain into the Puppet keystore.
However, if a backup was made to the /opt/rsa/jetty9/etc/jetty-ssl.xml file as instructed in the installation guide and in the knowledgebase articles entitled How to back up a public CA certificate configuration on an RSA Security Analytics 10.3 server prior to an upgrade and How to Install a Public CA Certificate on RSA Security Analytics 10.4.0.2 and Above, the workaround below may be performed to reapply the original keystore.
WorkaroundFollow the instructions below to replace the new jetty-ssl.xml file that is generated by the Puppet module with the backed up file from a previous version. 
This workaround assumes that the backup file is located here:  /opt/rsa/jetty9/etc/jetty-ssl.xml.bak
  1. Connect to the Security Analytics server via SSH as the root user.
  2. Issue the command below to temporarily stop the puppetmaster service.
    service puppetmaster stop

  3. Replace the Jetty keystore file with the backed up file from the previous version with the command below and confirm the operation.
    cp /opt/rsa/jetty9/etc/keystore.bak /opt/rsa/jetty9/etc/keystore

  4. Replace the jetty-ssl.xml file in the Puppet module with the backed up file from the previous version with the command below and confirm the operation.
    cp /opt/rsa/jetty9/etc/jetty-ssl.xml.bak /etc/puppet/modules/saserver/files/jetty-ssl.xml

  5. Start the puppetmaster service.
    service puppetmaster start

  6. Push the changed file to the Jetty web server and automatically restart the jettysrv service with the command below.
    puppet agent -t

Issuing the puppet agent -t command will display output similar to the example below.
Output seen by the puppet agent -t command.
Allow several minutes for the Jetty web server to fully initialize before attempting to navigate to the user interface in a web browser.  After that time, the custom certificate should be present.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes