000030264 - RSA Authentication Manager 8.x Web Tier is not listening listening on TCP port 443

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Dec 13, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030264
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x Web Tier
IssueWeb tier not listening for the correct port 443 not on the list issue a net stack command active connections. Web Tier AdminServer.log shows. 

<Error> <WebLogicServer> <ShortName> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)'> <<WLS Kernel>> <> <> <1431553005608> <BEA-000297> <Inconsistent security configuration,
weblogic.management.configuration.ConfigurationException: Identity certificate has expired: [
  Version: V3
  Serial Number: 
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: SERIALNUMBER=17963287, CN=Go Daddy Secure Certification Authority,
OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Validity From: Fri Apr 20 17:30:38 EDT 2012
           To:   Sat Apr 18 20:48:30 EDT 2015
  Subject Name: CN=*.'domain'.com, OU=Domain Control Validated, O=*.'domain'.com
  Key: RSA (1.2.840.113549.1.1.1)
    Key value: ...

<Emergency> <Security> <ShortName> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)'> <<WLS Kernel>> <> <> <1431553005686> <BEA-090034> <Not listening for SSL,
java.io.IOException: Identity certificate has expired: [
  Version: V3
  Serial Number: 22155402301514726
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: SERIALNUMBER=17963287, CN=Go Daddy Secure Certification Authority,
OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Validity From: Fri Apr 20 17:30:38 EDT 2012
           To:   Sat Apr 18 20:48:30 EDT 2015
  Subject Name: CN=*.'domain'.com, OU=Domain Control Validated, O=*.'domain'.com


While Authentication Manager imsTrace.log shows.

@@@2015-05-13 17:34:15,108, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'],
(EJBRemoteTarget.java:302), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, ShortName.'domain'.com,,,,
Attempting downgraded connection protocol to EJB/2.1. 
@@@2015-05-13 17:34:26,030, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'],
(EJBRemoteTarget.java:316), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, ShortName.'domain'.com,,,,
Unable to connect to downgraded EJB/2.1 command server.null
CauseThe virtual host certificate is expired and secondarily Wild Card Certificates are not supported.
ResolutionReplace the expired Certificate.  RSA recommends not to use a Wildcard Certificate, which is to request a Device Certificate with a CSR for the specific Fully Qualified Domain Name of this server.  The Common Name, CN should equal the FQDN

Or revert back to the original RSA self-signed Certificate, by activating it in the operations console
activate original
 

Attachments

    Outcomes