|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics Server, Security Analytics UI
RSA Version/Condition: 10.4.0.2, 10.4.1.x, 10.5.x
O/S Version: EL6
|Issue||After upgrading to RSA Security Analytics 10.4.0.2, the public CA certificate that was installed at a previous version following the instructions in the knowledgebase article 26817 no longer appears to be present.|
When navigating to the Security Analytics user interface, it once again shows invalid HTTPS connection with the message: "The identity of this website has not been verified."
|Cause||In order to resolve some FIPS-related issues within Security Analytics, version 10.4.0.2 includes a Puppet module that changes the Jetty 9 web server keystore path from /opt/rsa/jetty9/etc/keystore to /opt/rsa/carlos/keystore, which is the default puppet keystore.|
This forces the Puppet CA certificate to be used for the user interface.
This can be verified by looking at the Certificate Information from the web browser, which will display information similar to the example below.
|Resolution||This issue will be addressed in Security Analytics 10.5, at which point it will be possible to import a custom CA certificate chain into the Puppet keystore.|
However, if a backup was made to the /opt/rsa/jetty9/etc/jetty-ssl.xml file as instructed in the installation guide and in the knowledgebase articles entitled How to back up a public CA certificate configuration on an RSA Security Analytics 10.3 server prior to an upgrade and How to Install a Public CA Certificate on RSA Security Analytics 10.4.0.2 and Above, the workaround below may be performed to reapply the original keystore.
|Workaround||Follow the instructions below to replace the new jetty-ssl.xml file that is generated by the Puppet module with the backed up file from a previous version. |
This workaround assumes that the backup file is located here: /opt/rsa/jetty9/etc/jetty-ssl.xml.bak
Allow several minutes for the Jetty web server to fully initialize before attempting to navigate to the user interface in a web browser. After that time, the custom certificate should be present.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.