Authentication Manager Security Console and Operations Console Inaccessible After Certificate Update
a day ago
Originally Published: 2014-07-07
Article Number
000051252
Applies To

RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager 
RSA Version/Condition: 8.x

Issue
After RSA Authentication Manager certificates expire, the services fails to start. As a result, administrators cannot access the Security Console or Operations Console through the GUI. 
For administrators with server access, the following key errors appear in: opt/rsa/am/server/logs/AdminServer.log
####<Jul 7, 2020 10:23:40 AM EDT> <Notice> <WebLogicServer> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020591> 
tate changed to FAILED.>
###<BEA-000365> <Server s#<Jul 7, 2020 10:23:40 AM EDT> <Error> <WebLogicServer> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020591> 
<BEA-000383> <A critical service failed. The server will shut itself down.>
####<Jul 7, 2020 10:23:40 AM EDT> <Notice> <WebLogicServer> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020595> 
<BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN.>
####<Jul 7, 2020 10:23:40 AM EDT> <Info> <JMX> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020609> <BEA-149513> 
<JMX Connector Server stopped at service:jmx:iiop://10.46.30.77:7006/jndi/weblogic.management.mbeanservers.domainruntime.>
####<Jul 7, 2020 10:23:40 AM EDT> <Info> <JMX> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020609> <BEA-149513> 
<JMX Connector Server stopped at service:jmx:iiop://10.46.30.77:7006/jndi/weblogic.management.mbeanservers.edit.>
Caused by: weblogic.management.configuration.ConfigurationException: Identity certificate has expired:

 

Cause
The RSA default self-signed certificates were replaced with custom certificates that have since expired, causing Authentication Manager services to fail on startup.
Resolution
To revert back to the RSA self-signed certificates.



  1. SSH to the Authentication Manager server as rsaadmin.
  2. Navigate to the utils directory: 
    

    cd /opt/rsa/am/utils
    

  3. Run the certificate reset utility:
    

    ./rsautil reset-server-cert
    

  4. When prompted, enter the Operations Console administrator username and password.
  5. Once the certificate is replaced, navigate to the server directory and restart all services:
    

    cd /opt/rsa/am/server

    

    ./rsaserv restart all
    

  6. Repeat steps 1–5 on all affected Authentication Manager servers in your deployment. 
  7. Verify: Open a browser and confirm the Security Console (https://<am-server>:7004/console-ims) and Operations Console (https://<am-server>:7072/operations-console) are accessible. 
  8. After restoring access to the Security Console and Operations Console, you must follow one of the below scenarios based on your certificate preference.


Scenario 1 — Replace with CA-Signed Certificates


If you prefer to replace the expired certificates with new CA-signed certificates, please refer to the following documentation/link:
Replacing-The-Console-Certificate


Scenario 2 — Continue Using RSA Self-Signed Certificates


If you would like to continue using the default RSA self-signed certificates, complete the steps below to ensure systems and integrations trust the regenerated certificates.



  • For RSA Authentication Manager Security Console (Self-Signed Root CA):


  1. 

    1. Export the Self-Signed Root CA Certificate:

      1. Open your browser and navigate to the RSA Authentication Manager Security Console (e.g., https://:7004/console-ims).
      2. Click the Not Secure area in the browser’s address bar.
      3. View the certificate details and locate the RSA self-signed Root CA certificate.
      4. Export the certificate as a .cer or .crt file (Base-64 encoded is recommended).
      

    2. 

      Import the Certificate to Trusted Root Authorities:
      

      1. On your system, launch the Certificate Manager (certmgr.msc).
      2. Go to Trusted Root Certification Authorities.
      3. Right-click, select All Tasks > Import, and follow the wizard to import the .cer or .crt file you exported.
      4. Complete the wizard to add the certificate to the trusted root store.
      

      For domain-wide trust, use Group Policy (secpol.msc) to distribute the certificate to all systems as a trusted root CA.
      

    



  • For RSA RADIUS Servers (DER Format):


  1. 

    1. Log in to the Operations Console on the Authentication Manager primary instance.
    2. Go to Deployment Configuration > RADIUS Servers.
    3. Select the RADIUS server and click Manage EAP Certificates.
    4. In the Trusted Root Certificates tab, click Browse to select your self-signed certificate (must be in DER format, with a .der extension).
    5. Click Add to add the certificate to the server.
    6. Click Done when finished.
    



Trusted root certificates added on the primary instance are replicated to all RSA RADIUS servers in the deployment.
Notes
A user's browser might block displaying pages for the Security Console and/or Operations Console, so try different browsers or using  private browsing. If both are not possible, test access with a curl command: 


curl -k http://<rsa am server host>:7072/operations-console


Output may be similar to what is shown below: 


<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://<am88_server_net>:7072/operations-console/Index.jsp">https://<am88_server_net>:7072/operations-console/Index.jsp</a>.</p> </body></html>


Related Articles
Trending Articles
Don't see what you're looking for?