000033356 - How to manually update the internal SHA-1 certificates used by earlier versions of Authentication Manager after upgrading to RSA Authentication Manager 8.2

Document created by RSA Customer Support Employee on Jun 17, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033356
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
 

Issue

Quick Setup generates internal SHA-256 certificates by default for communication between RSA Authentication Manager 8.2 components, such as primary and replica instances and the web tier.
The SHA-256 digital certificates uses the “SHA256withRSA” digital signature algorithm. The upgrade to RSA Authentication Manager 8.2 does not update the internal SHA-1 certificates used by earlier versions of Authentication Manager.
If your organization has policies that require you to use SHA-256 certificates for all network connections, you can run a command-line utility that upgrades the internal certificates to SHA-256.

Tasks

To upgrade the certificates, you must run the utility on the primary instance and each replica instance.
If your deployment includes a web tier, you must re-install the web tier and re-enable the virtual host.
You must generate and distribute new configuration files to any IPv4/IPv6 authentication agents or custom agents that were created with the RSA Authentication Agent API 8.5 or later for C or the RSA Authentication Agent API 8.5 or later for Java.
You might also need to add the new certificates to the list of trusted CAs for your web browser and to any Authentication Manager administrative SDK connections

ResolutionBefore You Begin:
• You must be an Operations Console Administrator.
• Obtain the rsaadmin operating system password for the primary instance and each replica instance.
• Secure shell (SSH) must be enabled on every appliance in your deployment.

Procedure:
1. Launch the SSH client, and connect to the primary instance using the IP address or fully qualified hostname.
2. When prompted, type the operating system User ID, rsaadmin, and press ENTER.
3. When prompted, type the password for the rsaadmin operating system account, and press ENTER.
4. Change directories to /opt/rsa/am/utils. Type:
cd /opt/rsa/am/utils/
and press ENTER.
5. Run manage-ssl-cert to upgrade the certificates to SHA-256. Type:
./rsautil manage-ssl-cert --regen-internal-ca
6. When prompted, enter your Operations Console administrator User ID, and press ENTER.
7. When prompted, enter your Operations Console administrator password, and press ENTER.
When the internal certificates have been upgraded to SHA-256, the following message appears:
Created backup of current keystores at:
/opt/rsa/am/server/security/JKS_BACKUP_number
Customer-provided SSL certificates were retained.
Created primary keystore ZIP: primary-keystores.zip Command completed successfully.
where number is a uniquely generated value
8. Copy the primary-keystores.zip file to the /opt/rsa/am/utils directory on each replica instance in your deployment. For example, use Secure FTP.
9. Restart the primary instance for the changes to take effect. Do the following:
a. Change the directory. Type cd /opt/rsa/am/server and press ENTER.
b. Type ./rsaserv restart all and press ENTER.
10. On the primary instance, close the SSH client. Type exit and press ENTER.
11. You must now upgrade the certificates on each replica instance. Launch the SSH client, and connect to the replica instance using the IP address or fully qualified hostname.
12. When prompted, type the operating system User ID, rsaadmin, and press ENTER.
13. When prompted, type the password for the rsaadmin operating system account, and press ENTER.
14. Change directories to /opt/rsa/am/utils. Type:
cd /opt/rsa/am/utils/
and press ENTER.
15. Run manage-ssl-cert to upgrade the certificates to SHA-256. On a replica instance this command uses the --keystore option to pass the name of the primary-keystores.zip file. Type:
./rsautil manage-ssl-cert --regen-internal-ca --keystore-zip primary-keystores.zip
16. When prompted, enter your Operations Console administrator User ID, and press ENTER.
17. When prompted, enter your Operations Console administrator password, and press ENTER.
When the internal certificates have been upgraded to SHA-256, the following message appears:
Created backup of current keystores at:
/opt/rsa/am/server/security/JKS_BACKUP_number
Command completed successfully.
where number is a uniquely generated value.
18. Restart the replica instance for the changes to take effect. Do the following:
a. Change the directory. Type cd /opt/rsa/am/server and press ENTER.
b. Type ./rsaserv restart all and press ENTER.
19. On the replica instance, close the SSH client. Type exit and press ENTER.
20. Repeat step 11 through step 19 for each replica instance.
 
Notes

see documentation including 


TLS12UpdateGuide.pdf

Attachments

    Outcomes