|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
- When trying to connect to the Authentication Manager administration consoles, the following is seen:
- Services will not start and the Security Console, Operations Console and Self-Service Console are not accessible.
- When connected to the Authentication Manager server via SSH, vSphere or a direct connection, the RSA Administration server with Operations Console service is failing to start, causing all other services to fail except for the RSA Database Server service.
- Facts :
- Attempting to restart services (./rsaserv restart all) fails at the same stage.
- Rebooting the server did not resolve the issue.
- The machine’s host name is resolvable and the IP address is correct.
- Date, time and time zone on the server are all correct.
- The /opt/rsa/am/server/logs/AdminServerWrapper.log information shows the console certificate has expired. In the example below, the date stamp on the log is 30 June 2015, but the certificate expired on 21 May 2015:
|INFO | jvm 1 | main | 2015/06/30 06:18:24 | Caused by: java.security.cert.CertificateExpiredException: Checked date: Tue Jun 30 06:18:23 EDT 2015 is after Certificate notAfter date: Thu May 21 22:28:48 EDT 2015.|
INFO | jvm 1 | main | 2015/06/30 06:18:24 | at com.rsa.cryptoj.c.pk.a(UnknownSource)
INFO | jvm 1 | main | 2015/06/30 06:18:24 | at com.rsa.cryptoj.c.pj.checkValidity(Unknown Source)
INFO | jvm 1 | main | 2015/06/30 06:18:24 | at weblogic.security.utils.SSLContextManager.checkIdentity(SSLContextManager.java.508)
- To resolve this issue, import another valid certificate or revert back to the default one that ships with Authentication Manager. Steps to revert back to the original certificate supplied by RSA are below:
./rsautil reset-server-cert -u <Operations Console administrative user> -p <Operations Console administrative password>
- Connect to the Authentication Manager server via SSH, vSphere or direct connection.
- Login as the rsaadmin user with the current operating system password.
- Navigate to /opt/rsa/am/utils.
- Run the following command to change the console certificate from the third-party certificate to the original certificate:
./rsaserv start all
- After reverting the default certificate, navigate to /opt/rsa/am/server and start the Authentication Manager services:
- After reverting to the default certificate, the expired certificate will be listed as Inactive in the Operations Console under Deployment Configuration > Certificates > Console Certificate Management.