Resolution | - Download and extract/install the following:
- Export the server root certificate and import it to the client JKS.
Export Method I:
- Logon to the RSA Authentication Manager primary via SSH.
- Navigate to /opt/rsa/am/appserver/jdk/jre/bin.
- Run the following keytool command to export the root certificate. Press Enter when asked for a password.
./keytool -export -keystore /opt/rsa/am/server/security/trust.jks -file am_root.cer -alias rsa-am-ca Alias rsa-am-ca Enter keystore password: <Enter> ****************** WARNING WARNING WARNING ****************** * The integrity of the information stored in your keystore * * has not been verified! in order to verify its integrity, * * you must provide your keystore password. * ****************** WARNING WARNING WARNING ******************
Certificate stored in file <am_root.cer>
- Get a directory listing of /opt/rsa/appserver/jdk/jre/bin.
cd /opt/rsa/appserver/jdk/jre/bin ls -ltr total 2636 -rwxr--r-- 1 rsaadmin rsaadmin 186333 Sep 11 2013 unpack200 -rwxr--r-- 1 rsaadmin rsaadmin 272145 Sep 20 2013 tnameserv -rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 servertool -rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 rmiregistry -rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 rmid -rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 policytool -rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 pack200 -rwxr--r-- 1 rsaadmin rsaadmin 272081 Sep 20 2013 orbd -rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 keytool -rwxr--r-- 1 rsaadmin rsaadmin 270119 Sep 20 2013 java -rw-r--r-- 1 root root 922 Jul 27 12:50 am_root.cer
- Download the am_root.cer. The location of the file is not restricted. You can put it wherever you like; for example, C:\am_sdk\ssl\am_root.cer.
Export Method II:
Alternatively, we can export the certificate via Internet Explorer.
- Launch Internet Explorer, and go to https://server_name:7002. The Error 404 page appears.
- Right click anywhere on the Error 404 page and select Properties.
- In the Properties dialog box, click Certificates.
- In the Certificate dialog box, select the Certification Path tab.
- Click the top item in the certificate path.
- Click View Certificate.
- In the Certificate dialog box, click the Details tab.
- Click Copy to File.
- On the Certificate Export Wizard page, click Next.
- On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
- On the File to Export page, click Browse.
- Browse to a location to store the root certificate, enter am_root.cer in the File name field. Make sure that Save as type is set to DER Encoded Binary X.509(*.cer), and click Save.
- On the File to Export page, click Next.
- On the Completing the Certificate Export page, click Finish.
- Click OK.
Import Method:
- Import the am_root.cer to a local JKS. The location for local JKS is not restricted. For example, C:\am_sdk\ssl\trust.jks.
cd <JDK> or <JRE>\bin keytool -import -keystore "C:\am_sdk\ssl\trust.jks" -storepass changeit -file "C:\am_sdk\ssl\am_root.cer" -alias rsa_am_ca –trustcacerts Owner: SERIALNUMBER=05465834828b8489f116a70d4fdbedd21bf4907b388274773ee2cd4f2a62f6e8, CN=marge.csau.ap.rsa.net Issuer: SERIALNUMBER=404fac110b5bf2748c37b18e1429487ba98c863b561f89ac8b50ea7140c1f5cc, CN=RSA root CA for marc.csau.ap.rsa.net Serial number: 3b38b92d61f2b7857e884b32c9245ac1 Valid from: Wed Oct 05 06:34:48 CST 2016 until: Mon Oct 05 05:34:48 2036 Certificate fingerprints: MD5: 78:EA:0F:55:1B:2C:EE:01:93:32:5D:B7:4E:A4:3E:B4 SHA1: 48:BC:2D:C4:8A:82:5A:9C:94:80:F0:CF:94:9D:9C:8B:FE:C3:A7:9A SHA256: 06:B2:5A:63:A3:D9:39:3B:CB:18:25:E7:35:CA:51:0C:C0:4F:98:35:1C: 2F:71:18:B5:34:AA:17:37:50:EA:9F Signature algorithm name: SHA256withRSA Version: 3
Extensions:
#1: ObjectID: 2.5.29.19 Criticality=true BasicContraints:[ CA:false PathLen: undefined ] Trust this certificate? [no] yes Certificate was added to keystore
- Replace the Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files:
- Download the Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files. For different versions of the JDK, please download the correct file versions.
- Backup the existing JCE files in <JRE>/lib/security/, then replace with new ones. These are:
- local_policy.jar,
- US_export_policy.jar
- Setup the SDK in Eclipse
- Create a new project.
- Select the Java Project from Existing Ant Buildfile option in the wizard.
- Select the build.xml file in the <SDK>\samples\admin directory.
- Configure the build path
- Right click on the project.
- Select Build Path > Configure Build Path...
- Add external libraries. Add all of the .jar files under <SDK>\lib\java to the Java Build Path.
- Import and edit config.properties in Eclipse
- Import the config.properties by right clicking on the project then choosing Import > File System and selecting <SDK>\samples\admin\config.properties.
- SSH to the RSA Authentication Manager server and navigate to /opt/rsa/am/utils.
- Capture both the Command API Client User ID and Command API Client User Password by running the command below:
./rsautil manage-secrets --action list Please enter OC Administrator username: <enter the name of an Operations Console administrator> Please enter OC Administrator password: <enter the password for the Operations Console administrator> Secrets stored in ./etc/systemfields.properties. Command API Client User ID ............................: CmdClient_06q3iicq Command API Client User Password ......................: V5KNLLjnJD81NyRfzi7L71xKV0towQ SSL Server Identity Certificate Private Key Password ..: bOyxnV032yVRMQWnFftb4fNG7xq9VP SSL Server Identity Certificate Keystore File Password : UVPAsZhN4eWyh1pb3RSAY3MgIUtZNL Root Certificate Private Key Password .................: djLvIilLRqDNZfwgkVc9ZgTLBQrAX6 Root Certificate Keystore File Password ...............: Ttw14wO6zVzCatRLrYHDS9nkPKfYnl
The "listkeys" action displays the key names to use when setting the values.
- Double click to open config.properties in Eclipse.
- Replace the text in the file as shown in the sample below, using the values in your system.
# Server URL. NOTE: Replace local1 with the hostname of the managed server java.naming.provider.url = t3s://marge.csau.ap.rsa.net:7002
# User ID for process-level authentication. com.rsa.cmdclient.user = CmdClient_06q3iicq
# Password for process-level authentication com.rsa.cmdclient.user.password = V5KNLLjnJD81NyRfzi7L71xKV0towQ
# SOAPCommandTargetBasicAuth provider URL ims.soap.client.provider.url = https://marge.csau.ap.rsa.net:7002/ims-ws/services/CommandServer
- Modify launch parameters
- In Eclipse, right click on Project.
- Select Run As > Run Configurations > admin. (This is the default configuration name of Admin SDK).
- Add the parameters below, modifying the values accordingly. (superadmin/P@55w0rd is the Security Console login credential)
[Program Arguments] list-users superadmin P@55w0rd
[VM Arguments] -Dweblogic.security.SSL.trustedCAKeyStore="C:\am_sdk\ssl\trust.jks" -Dbea.home="<SDK>\lib\java" -Dsun.lang.ClassLoader.allowArraySyntax=true
- Test the code.
|