000034753 - Configure RSA Authentication Manager 8.x software developer kit (SDK)

1. Download and extract the RSA Authentication Manager 8.4 SDK.
2. Install the Java Developer's Kit (JDK), using Java 1.8 and above.
3. Install Eclipse.
4. Replace the Java Cryptography Extension (JCE).
5. Export an RSA Authentication Manager root cert, import to local JKS
6. Setup  a new project in Eclipse.
7. Configure the new project.
8. Run the code.

1. Download and extract/install the following:

• The Latest - RSA Authentication Manager 8.4 SDK.
• The Java SE 8 SDK (use Java 1.8 and above).
•  The Eclipse Java Integrated Development Environment (IDE).

2. Export the server root certificate and import it to the client JKS.

1. Logon to the RSA Authentication Manager primary via SSH.
2. Navigate to /opt/rsa/am/appserver/jdk/jre/bin.
3. Run the following keytool command to export the root certificate.  Press Enter when asked for a password.

./keytool -export -keystore /opt/rsa/am/server/security/trust.jks -file am_root.cer -alias rsa-am-ca     
Alias rsa-am-ca
Enter keystore password:  <Enter>
****************** WARNING WARNING WARNING ******************
* The integrity of the information stored in your keystore  *
* has not been verified!  in order to verify its integrity, *
* you must provide your keystore password.                  *
****************** WARNING WARNING WARNING ******************

Certificate stored in file <am_root.cer> 

4. Get a directory listing of /opt/rsa/appserver/jdk/jre/bin.

cd /opt/rsa/appserver/jdk/jre/bin
ls -ltr 
total 2636
-rwxr--r-- 1 rsaadmin rsaadmin 186333 Sep 11 2013 unpack200
-rwxr--r-- 1 rsaadmin rsaadmin 272145 Sep 20 2013 tnameserv
-rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 servertool
-rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 rmiregistry
-rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 rmid
-rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 policytool
-rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 pack200
-rwxr--r-- 1 rsaadmin rsaadmin 272081 Sep 20 2013 orbd
-rwxr--r-- 1 rsaadmin rsaadmin 272191 Sep 20 2013 keytool
-rwxr--r-- 1 rsaadmin rsaadmin 270119 Sep 20 2013 java
-rw-r--r-- 1 root     root     922 Jul 27 12:50 am_root.cer

5. Download the am_root.cer.  The location of the file is not restricted.  You can put it wherever you like; for example, C:\am_sdk\ssl\am_root.cer.
    

1. Launch Internet Explorer, and go to https://server_name:7002. The Error 404 page appears.
2. Right click anywhere on the Error 404 page and select Properties.
3. In the Properties dialog box, click Certificates.
4. In the Certificate dialog box, select the Certification Path tab.
5. Click the top item in the certificate path.
6. Click View Certificate.
7. In the Certificate dialog box, click the Details tab.
8. Click Copy to File.
9. On the Certificate Export Wizard page, click Next.
10. On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
11. On the File to Export page, click Browse.
12. Browse to a location to store the root certificate, enter am_root.cer in the File name field.  Make sure that Save as type is set to DER Encoded Binary X.509(*.cer), and click Save.
13. On the File to Export page, click Next.
14. On the Completing the Certificate Export page, click Finish.
15. Click OK.

1. Import the am_root.cer to a local JKS.  The location for local JKS is not restricted. For example, C:\am_sdk\ssl\trust.jks.

cd <JDK> or <JRE>\bin
keytool -import -keystore "C:\am_sdk\ssl\trust.jks" -storepass changeit -file "C:\am_sdk\ssl\am_root.cer" -alias rsa_am_ca –trustcacerts
Owner: SERIALNUMBER=05465834828b8489f116a70d4fdbedd21bf4907b388274773ee2cd4f2a62f6e8, CN=marge.csau.ap.rsa.net
Issuer: SERIALNUMBER=404fac110b5bf2748c37b18e1429487ba98c863b561f89ac8b50ea7140c1f5cc, CN=RSA root CA for marc.csau.ap.rsa.net
Serial number: 3b38b92d61f2b7857e884b32c9245ac1
Valid from: Wed Oct 05 06:34:48 CST 2016 until: Mon Oct 05 05:34:48 2036
Certificate fingerprints:
         MD5: 78:EA:0F:55:1B:2C:EE:01:93:32:5D:B7:4E:A4:3E:B4
         SHA1: 48:BC:2D:C4:8A:82:5A:9C:94:80:F0:CF:94:9D:9C:8B:FE:C3:A7:9A
         SHA256: 06:B2:5A:63:A3:D9:39:3B:CB:18:25:E7:35:CA:51:0C:C0:4F:98:35:1C:
2F:71:18:B5:34:AA:17:37:50:EA:9F
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectID: 2.5.29.19 Criticality=true
BasicContraints:[
  CA:false
  PathLen: undefined
]
Trust this certificate? [no] yes
Certificate was added to keystore

3. Replace the Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files:
   
   1. Download the Java Cryptography Extension Unlimited Strength Jurisdiction Policy Files. For different versions of the JDK, please download the correct file versions.
   2. Backup the existing JCE files in <JRE>/lib/security/, then replace with new ones.  These are:  

• local_policy.jar,
• US_export_policy.jar

4. Setup the SDK in Eclipse
   
   1. Create a new project.
   2. Select the Java Project from Existing Ant Buildfile option in the wizard.
   3. Select the build.xml file in the <SDK>\samples\admin directory.

5. Configure the build path
   
   1. Right click on the project.
   2. Select Build Path > Configure Build Path...
   3. Add external libraries. Add all of the .jar files under <SDK>\lib\java to the Java Build Path.

6. Import and edit config.properties in Eclipse
   
   1. Import the config.properties by right clicking on the project then choosing Import > File System and selecting <SDK>\samples\admin\config.properties.
   2. SSH to the RSA Authentication Manager server and navigate to /opt/rsa/am/utils.
   3. Capture both the Command API Client User ID and Command API Client User Password by running the command below:

./rsautil manage-secrets --action list
Please enter OC Administrator username: <enter the name of an Operations Console administrator>
Please enter OC Administrator password: <enter the password for the  Operations Console administrator>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_06q3iicq
Command API Client User Password ......................: V5KNLLjnJD81NyRfzi7L71xKV0towQ
SSL Server Identity Certificate Private Key Password ..: bOyxnV032yVRMQWnFftb4fNG7xq9VP
SSL Server Identity Certificate Keystore File Password : UVPAsZhN4eWyh1pb3RSAY3MgIUtZNL
Root Certificate Private Key Password .................: djLvIilLRqDNZfwgkVc9ZgTLBQrAX6
Root Certificate Keystore File Password ...............: Ttw14wO6zVzCatRLrYHDS9nkPKfYnl

The "listkeys" action displays the key names to use when setting the values.

4. Double click to open config.properties in Eclipse.  
5. Replace the text in the file as shown in the sample below, using the values in your system.

# Server URL. NOTE: Replace local1 with the hostname of the managed server
java.naming.provider.url = t3s://marge.csau.ap.rsa.net:7002

# User ID for process-level authentication.
com.rsa.cmdclient.user = CmdClient_06q3iicq

# Password for process-level authentication
com.rsa.cmdclient.user.password = V5KNLLjnJD81NyRfzi7L71xKV0towQ

# SOAPCommandTargetBasicAuth provider URL
ims.soap.client.provider.url = https://marge.csau.ap.rsa.net:7002/ims-ws/services/CommandServer

7. Modify launch parameters
   
   1. In Eclipse, right click on Project.
   2. Select Run As > Run Configurations > admin. (This is the default configuration name of Admin SDK).
   3. Add the parameters below, modifying the values accordingly. (superadmin/P@55w0rd is the Security Console login credential)

[Program Arguments]
list-users superadmin P@55w0rd

[VM Arguments]
-Dweblogic.security.SSL.trustedCAKeyStore="C:\am_sdk\ssl\trust.jks"
-Dbea.home="<SDK>\lib\java"
-Dsun.lang.ClassLoader.allowArraySyntax=true

8. Test the code.