000036460 - Java exception error during restore of default console certificate on RSA Authentication Manager 8.2 and higher

Document created by RSA Customer Support Employee on Jun 29, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036460
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.3
IssueThis article explains the following two scenarios:
  1. How to regenerate the deleted Authentication Manager default server certificate.
  2. How to resolve the following Java exception error that occurs when running the rsautil reset-server-cert command to restore the default console certificate on RSA Authentication Manager:

        at com.rsa.authmgr.install.tools.CertManager.resetServerCert(CertManager
        at com.rsa.authmgr.install.tools.CertManager.execute(CertManager.java:15
        at com.rsa.authmgr.install.tools.CertManager.main(CertManager.java:260)

  1. Open an SSH session using a SSH client, such as PuTTy, to the RSA Authentication Manager primary server.
  2. Login as rsaadmin and enter the operating system password. 

Note that during Quick Setup another user name may have been selected.  Use that user name to login.

  1. Navigate to /opt/rsa/am/utils/.

login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils

  1. Run the ./rsautil manage-ssl-cert --regen-internal-ca command to regenerate the RSA  Authentication Manager default console certificate.
  2. When prompted, enter the Operations Console administrator user name and password:

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-ssl-cert --regen-internal-ca
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
Manage SSL Certificate Utility (1388711)
Copyright (C) 2016 RSA Security Inc. All rights reserved.
Regenerating internal certificate authority and SSL certificates...
Created backup of current keystores at: /opt/rsa/am/server/security/JKS_BACKUP_3472436041899343669
Created primary keystore ZIP: primary-keystores.zip
Copy this file to each Replica instance and run this tool providing this file as the
parameter to the "--keystore-zip" option.
Command completed successfully.


The above command will also create a backup of the current keystores which will be saved to /opt/rsa/am/server/security/JKS_BACKUP_XXXXXXXXXXXXXXXXXXX

  1. Once these steps are complete, elevate privileges to root and reboot the appliance by issuing the commands below:

rsaadmin@am82p:~> sudo su - root
rsaadmin's password: <enter operating system password>
am82p:/home/rsaadmin # reboot

Broadcast message from root (pts/0) (Wed Jun 20 08:15:08 2018):

The system is going down for reboot NOW!
am82p:/home/rsaadmin #

  1. Now the Java error will not occur while executing the ./rsautil reset-server-cert command
  2. After reverting to the default certificate, the expired certificate will be listed as Inactive in the Operations Console under Deployment Configuration > Certificates Console Certificate Management.
NotesTo revert back to default self-signed certificates refer to article 000017506 - Reverting back to the RSA self-signed default certificates on Authentication Manager 8.1.