000030676 - The RSA Authentication Manager 8.1 Administration server with Operations Console service fails to start causing all other services to fail except for the RSA Database Server service

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030676
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager 
RSA Version/Condition: 8.1
 
Issue 
  • When trying to connect to the Authentication Manager administration consoles, the following is seen:
    • Services will not start and the Security Console, Operations Console and Self-Service Console are not accessible.
    • When connected to the Authentication Manager server via SSH, vSphere or a direct connection, the RSA Administration server with Operations Console service is failing to start, causing all other services to fail except for the RSA Database Server service.
User-added image

 
  • Facts :
    • Attempting to restart services (./rsaserv restart all) fails at the same stage.
    • Rebooting the server did not resolve the issue.
    • The machine’s host name is resolvable and the IP address is correct.
    • Date, time and time zone on the server are all correct.
Cause
  • The /opt/rsa/am/server/logs/AdminServerWrapper.log information shows the console certificate has expired.  In the example below, the date stamp on the log is 30 June 2015, but the certificate expired on 21 May 2015:
User-added image

 
INFO   | jvm 1    | main    | 2015/06/30 06:18:24 | Caused by: java.security.cert.CertificateExpiredException: Checked date:  Tue Jun 30 06:18:23 EDT 2015 is after Certificate notAfter date: Thu May 21 22:28:48 EDT 2015.
   INFO   | jvm 1    | main    | 2015/06/30 06:18:24 |     at com.rsa.cryptoj.c.pk.a(UnknownSource)
   INFO   | jvm 1    | main    | 2015/06/30 06:18:24 |     at com.rsa.cryptoj.c.pj.checkValidity(Unknown Source)
   INFO   | jvm 1    | main    | 2015/06/30 06:18:24 |     at weblogic.security.utils.SSLContextManager.checkIdentity(SSLContextManager.java.508)

 
Resolution
  •   To resolve this issue, import another valid certificate or revert back to the default one that ships with Authentication Manager.  Steps to revert back to the original certificate supplied by RSA are below:
  1.  Connect to the Authentication Manager server via SSH, vSphere or direct connection.
  2.  Login as the rsaadmin user with the current operating system password.
  3.  Navigate to /opt/rsa/am/utils.
  4.  Run the following command to change the console certificate from the third-party certificate to the original certificate:
./rsautil reset-server-cert -u <Operations Console administrative user> -p <Operations Console administrative password>
 
 
  1. After reverting the default certificate, navigate to /opt/rsa/am/server and start the Authentication Manager services:
./rsaserv start all
 
Notes
  • After reverting to the default certificate, the expired certificate will be listed as Inactive in the Operations Console under Deployment Configuration > Certificates > Console Certificate Management.

Attachments

    Outcomes