000034743 - Aveksa Remote agent fails to start using RSA Identity Governance and Lifecycle with server certificate errorsr

Document created by RSA Customer Support Employee on Jan 27, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034743
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Product/Service Type: Appliance
Platform: JBoss
 
IssueAttempt to start the Aveksa agent fails with the following server certificate errors:
 
INFO [com.aveksa.server.certificates.CertificateManager] Get X509Certificate $EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem
ERROR [com.aveksa.server.certificates.CertificateManager] invalid stream header: 2D2D2D2D
ERROR [com.aveksa.server.certificates.CertificateManager] Could not load certificate:
$EAR/aveksa.war/WEB-INF/certs/ca/cacert.pem from database.
ERROR [com.aveksa.server.agent.message.ExceptionMessage] com.aveksa.server.agent.message.ConnectionException:
Server has no Certificate of Authority. Subject DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US.
Issuer DN: CN=acm-691,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US
   at com.aveksa.AgentServlet.serverCertificateNoCertAvailableResponse(AgentServlet.java:192) at
com.aveksa.AgentServlet.authenticateAgent(AgentServlet.java:226)
   at com.aveksa.AgentServlet.doPost(AgentServlet.java:99)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:75)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
   at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
   at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
   at java.lang.Thread.run(Thread.java:701)
CauseThe root (server) certificate does not  match the certificate in the client and server. 
 
ResolutionThe process to resolve this error is to generate a new root (server) certificate, redeploy certificate on the server, restart the RSA Identity Governance and Lifecycle application and redeploy the remote agent. 
  1. Update the servers.
  2. Update the remote collector agents, if any.

Update the root certificate and Certificate Authority (CA).


  1. In the UI, go to Admin > System > Security.
  2. Under Server Certificate Store for Agent SSL Connections, click the Change Certificate Store button.
  3. This will generate a new certificate.
User-added image

  1. You will get a dialog warning message.
User-added image

  1. Click OK to change the root certificate and CA.
  2. Click the Download button, and save the server.keystore to a location on your computer.
  3. Go to the location on the server where your server reads the keystore, back it up, and replace it with the new server.keystore.

  • For 6.8.1 and 6.9.0 and 6.9.1 


             The default location of server.keystore on a JBoss appliance is: $HOME/jboss-4.2.2.GA/server/default/conf/keystore.


  • For 7.0.0 and 7.0.1 


             The default location of server.keystore on a WildFly appliance is: /home/oracle/keystore.

  1. Go to the keystore directory
$ su oracle
$ cd $HOME/jboss-4.2.2.GA/server/default/conf/keystore or cd /home/oracle/keystore

  1. Backup the existing server.keystore:
$ mv server.keystore server.keystore.bak

  1. Save the new server.keystore file to this location replacing the existing server.keystore with the new server.keystore generated on step 2.
  2. Using the keytool command, save the output of the findgerprint section, using command: 
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore server.keystore -alias aveksa_ca
Alias name: aveksa_ca
Created date: Jan 25, 2017
Entry type: trustedCertEntry
Owner: CN=aveksa_ca, OU=Aveksa, O=Aveksa, L-Waltham, ST=Massachusetts, C=US
Issuer: CN=aveksa_ca, OU=Aveksa, O=Aveksa, L-Waltham, ST=Massachusetts, C=US
Serial number:  35f31f98ef9cb22d9bd921ef35bbdce49e2a6b8
Valid from: Wed Jan 25 18:28:03 EST 2017 unitl Fri Nov 19 18:28:03 EST 2027
Certificate fingerprints:
         MD5:  BB:F9:92:3F:F8:2E:88:FD:10:B0:6C:B8:43:45:D9:0B
         SHA1: E4:F5:7A:8F:84:36:13:A1:6D:A0:A7:16:05:D8:7E:C6:D1:04:56:F3
         Sigature algorithm:
         Version: 3

  1. Restart RSA Identity Governance and Lifecycle:
$ su oracle
$ acm restart

  1. Go back to the UI and navigate to Collector > Agents.  
  2. Click on the agent  and select Download Agent.
  3. Save the AveksaAgent.zip file.
User-added image

  1. Transfer the AveksaAgent.zip to the Server and unzip
$ unzip AveksaAgent.zip

  1. Go to AveksaAgent/conf/ and using command, confirm that the fingerprint matches the fingerprint of the server from step 11 above.
$ cd aveksaAgent/conf
$ keytool -list -v -storepass Av3k5a15num83r0n3 -keystore client.keystore -alias aveksa_ca

  1. Start AveksaAgent 
$ service aveksa_agent start

  1. This following is sample output of the aveksaAgent.log (that can be found under aveksaAgent/logs directory) with a successful agent start:
01/25/2017 18:41:41.359 INFO  (main) [com.aveksa.client.datacollector.startup.Bootstrap] Initializing bootstrap of agent
01/25/2017 18:41:41.424 INFO  (main) [com.aveksa.client.datacollector.startup.agent.AgentShutDownHook] ASDH20: Created ShutDownHook with ID: Thread-0
01/25/2017 18:41:41.452 INFO  (main) [com.aveksa.client.datacollector.agent.AgentConfiguration] COMPLETED method=LoadProperties https://192.168.26.113:8444/aveksa/agent.submit, 21
01/25/2017 18:41:41.452 INFO  (main) [com.aveksa.client.datacollector.agent.AgentConfiguration] Setting trust store to: /home/oracle/AveksaAgent/conf/client.keystore
01/25/2017 18:41:41.452 INFO  (main) [com.aveksa.client.datacollector.agent.AgentConfiguration] Setting key store to: /home/oracle/AveksaAgent/conf/client.keystore
01/25/2017 18:41:41.474 INFO  (main) [com.aveksa.client.datacollector.agent.AgentConfiguration] Aveksa Product Version: 6.9.1
01/25/2017 18:41:41.535 INFO  (main) [com.aveksa.client.component.communication.DefaultCommunicationManager] DCM82: Initiating handshake with server
01/25/2017 18:41:42.338 INFO  (main) [com.aveksa.client.component.communication.DefaultCommunicationManager] DCM120: Successfully completed handshake with server COMPLETED method=Init
01/25/2017 18:41:42.380 INFO  (main) [com.aveksa.client.datacollector.agent.Agent] method=DoWork com.aveksa.client.component.cache.FileSystemCache@52e52123
01/25/2017 18:41:42.381 INFO  (main) [com.aveksa.client.datacollector.agent.Agent] A121: Data encoding is enabled. method=doWork subTask=createEncoder
01/25/2017 18:41:42.385 INFO  (main) [com.aveksa.common.encoder.DataEncoder] Successfully created the encoder instance from the given encoder properties <{encoder-class=com.aveksa.common.encoder.spi.xml.XmlDataEncoder}> SUCCESS method=createEncoder encoder-class=com.aveksa.common.encoder.spi.xml.XmlDataEncoder
01/25/2017 18:41:42.385 INFO  (main) [com.aveksa.client.datacollector.agent.Agent] A123: Created encoder object! SUCCESS method=doWork subTask=createEncoder encoder-class=com.aveksa.common.encoder.spi.xml.XmlDataEncoder
01/25/2017 18:41:42.396 INFO  (main) [com.aveksa.client.component.communication.DefaultCommunicationManager] DCM102: Created Polling Thread to Ping Server for changes. Ping Interval is 10000.
NotesNote that when changing the server certificate, if you use AFX you will need to redeploy the certificate for AFX as well.
See RSA Identity Governance and Lifecycle Access Fulfillment Express (AFX) Server fails to start with message: WARNING!! Timed out waiting for AFX applications to start for the steps to redeploy AFX.

Attachments

    Outcomes