000019942 - Unable to change passphrases for Secure Directory Server & Certificate Management Protocol (CMP)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019942
Applies ToKeon Certificate Authority 6.5
Sun Solaris 2.8
IssueUnable to change passphrases for Secure Directory Server & Certificate Management Protocol (CMP)
Workbench message reads "All the Server Keys PassPhrase are now changed"
Passphrases for the "SSL key passphrase" for some or all of the servers have not been changed
CauseThe permissions on some of the files are not appropriate for this action to take place. This is due to an issue that occurs during installation where the account selected during the browser phase of the installation is not able to update the files that were installed during the UNIX Script phase. The issue occurs because of the level of security which should exist on the installed system.
ResolutionA workaround is available to temporarily change the permissions on the UNIX files to allow a password change to occur successfully. After the password change has taken pace the permissions should be reset to re-secure the system. Create a script called chperms.sh as the following:
 
#!/bin/sh
#
# Script to reconfigure ownership of certificate and key files in KCA 6.5
#
USAGE="SYNTAX:     chperms.sh -u -g "
#
while getopts  u:g: a do
        case $a in
                U|u)    OWNER=$OPTARG;;
                G|g)    GOWNER=$OPTARG;;
                \?)     echo $USAGE
                        exit 1;;
        esac
done
echo "Setting ownership to ${OWNER}:${GOWNER} ...\c"
chown -R ${OWNER}:${GOWNER} Xudad/ssl
chown -R ${OWNER}:${GOWNER} CmpServer/ssl
chown -R ${OWNER}:${GOWNER}WebServer/ssl
chown -R ${OWNER}:${GOWNER} LogServer/ssl
chown -R ${OWNER}:${GOWNER} LogServer/sign
echo "Done."
#
# END

The syntax is: ./chperms.sh -u -g
Where the user and group values are those you specified in the web based portion of the installation where you were prompted for the user and group that will run the web server. After having used this script and changed the passphrase, a second version may be used to reset the permissions back to their correct values:

#!/bin/sh
#
# Script to reconfigure ownership of certificate and key files in KCA 6.5
#
USAGE="SYNTAX:     resetperms.sh -u -g "
#
while getopts  u:g: a do
        case $a in
                U|u)    OWNER=$OPTARG;;
                G|g)    GOWNER=$OPTARG;;
                \?)     echo $USAGE
                        exit 1;;
        esac
done
echo "Setting ownership to ${OWNER}:${GOWNER} for LogServer and Webserver, root:other for Xudad and CmpServer ...\c"
chown -R root:other Xudad/ssl
chown -R root:other CmpServer/ssl
chown -R ${OWNER}:${GOWNER}WebServer/ssl
chown -R ${OWNER}:${GOWNER} LogServer/ssl
chown -R ${OWNER}:${GOWNER} LogServer/sign
#
#END

The syntax is: ./resetperms.sh -u -g

Remember to set execute attributes on the two scripts, for example: chmod +x resetperms.sh chperms.sh
Also, ensure that permissions on the scripts allow them only to be run by authorized users.
WorkaroundOption to Change-Passphrase was selected from the Administrator Options workbench
Legacy Article IDa14653

Attachments

    Outcomes