000030264 - Authentication Manager 8.1 Web Tier is not listening listening on TCP port 443

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030264
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 Web Tier
IssueWeb tier not listening for the correct port port 443 not on the list issue a net stack command active connections
Web Tier AdminServer.log
<Error> <WebLogicServer> <ShortName> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1431553005608> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Identity certificate has expired: [
  Version: V3
  Serial Number: 
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: SERIALNUMBER=17963287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Validity From: Fri Apr 20 17:30:38 EDT 2012
           To:   Sat Apr 18 20:48:30 EDT 2015
  Subject Name: CN=*.'domain'.com, OU=Domain Control Validated, O=*.'domain'.com
  Key: RSA (1.2.840.113549.1.1.1)
    Key value: ...
<Emergency> <Security> <ShortName> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1431553005686> <BEA-090034> <Not listening for SSL, java.io.IOException: Identity certificate has expired: [
  Version: V3
  Serial Number: 22155402301514726
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: SERIALNUMBER=17963287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Validity From: Fri Apr 20 17:30:38 EDT 2012
           To:   Sat Apr 18 20:48:30 EDT 2015
  Subject Name: CN=*.'domain'.com, OU=Domain Control Validated, O=*.'domain'.com
imsTrace.log
@@@2015-05-13 17:34:15,108, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (EJBRemoteTarget.java:302), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, ShortName.'domain'.com,,,,Attempting downgraded connection protocol to EJB/2.1. 

@@@2015-05-13 17:34:26,030, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (EJBRemoteTarget.java:316), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, ShortName.'domain'.com,,,,Unable to connect to downgraded EJB/2.1 command server.null 
CauseCert expired and secondarily WildCard Certificates are not supported
Problem reported after a Microsoft Patch was applied, but reverting patch did not fix this, nor did re-installation of Web Tier, which means it was actually the restart of services where the expired Cert was noticed by Web Tier
ResolutionReplace the expired Certificate.  RSA recommends not to use a Wildcard Certificate, that is to request a Device Certificate with a CSR for the specific Fully Qualified Domain Name of this server.  The Common Name, CN should equal the FQDN
Or revert back to the original RSA self-signed Certificate, by activating it in the operations console
activate original
 
Workaroundedit config.xml on Web Tier and change the listen port to something other than 443

Attachments

    Outcomes