RSA Authentication Manager Displays Unwanted Certificate Signing Requests (CSRs) in the Operations Console Certificate Management Interface
7 days ago
Originally Published: 2014-03-28
Article Number
000052035
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition:  8.x

Issue
After performing certificate-related actions in the RSA Authentication Manager Operations Console, you see one or more unwanted Certificate Signing Requests (CSRs) listed under Certificate Management.

 

You may notice:
- CSRs remain listed even though they are no longer needed.
- The CSR list contains requests created by mistake and you want to remove them to avoid confusion during certificate management.
Resolution

Navigate to Deployment Configuration > Certificates > Console Certificate Management .  This interface provides a way to manage the certificates that enable secure communication between RSA Authentication Manager and the Operations Console and Security Console management interfaces.

To remove any outstanding Certificate Signing Requests (CSR) that are in the pending state you can use the following information.

Before following the steps below, 

  1. ​Login to the primary Authentication Manager's Operations Console.
  2. From Maintenance > Backup and Restore > Backup Now to take backup of the database.
  3. Certificate Signing Requests (CSR) are left in a pending state reside in a file called /opt/rsa/am/server/security/webserver-inactive.jks.  Before making any change always make a backup so navigate to the /opt/rsa/am/server/security folder and make a copy of the webserver-inactive.jks file.  Open an SSH session to the Authentication Manager primary and login as the rsaadmin user.  Run the following commands to create the backup: 
cd /opt/rsa/am/server
cp webserver-inactive.jks webserver-inactive.jks.BAK
  1. To remove the CSR aliases from /opt/rsa/am/server/security/webserver-inactive.jks, the administrator will require the SSL Server Identity Certificate Keystore File Password.  This can be obtained using the command ./rsautil manage-secrets -a list com.rsa.signing.key in the /opt/rsa/am/utils directory.  In this instance, the SSL Server Identity Certificate Keystore File Password is g972SpITERSGMtYCZWevKd4UTVuZUw.  Yours will be different
rsaadmin@app81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter the name of the Operations Console administrative user>
Please enter OC Administrator password: <enter the password the Operations Console administrative user>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_9uwbaoze
Command API Client User Password ......................: N04vujpJYzkePDn0vf0zjnu2NmEJ1f
SSL Server Identity Certificate Private Key Password ..: jkN1075giQ9IIFD8Pg6uVq4BGFB9yU
SSL Server Identity Certificate Keystore File Password : g972SpITERSGMtYCZWevKd4UTVuZUw
Root Certificate Private Key Password .................: rSl0jKaSPUFww2fb0KVfJdbUIFwQK3
Root Certificate Keystore File Password ...............: Rg10rVYLQW8fNHEdMxbgucWlMQ1mAX

The "listkeys" action displays the key names to use when setting the values.
rsaadmin@app81p:/opt/rsa/am/utils>
  1. List the contents of the webserver-inactive.jks file using the keytool utility at the command line to confirm the alias you want to delete actually exists.  For example:
rsaadmin@app81p:/opt/rsa/am> /opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/webserver-inactive.jks
Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password capture in step 4>

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

 app81poc, Mar 27, 2014, PrivateKeyEntry,

Certificate fingerprint (MD5): 3E:75:75:8F:82:34:B6:64:BC:6E:F1:FF:35:F8:AA:3B

rsa am internal ca, Dec 2, 2013, trustedCertEntry,

Certificate fingerprint (MD5): 92:45:C9:B6:09:25:3E:4A:53:2F:6B:49:EA:E3:BF:17

rsa am default server cert, Dec 2, 2013, PrivateKeyEntry,

Certificate fingerprint (MD5): DD:C7:65:A8:74:36:EE:24:47:36:C4:8F:39:48:EB:89

rsaadmin@app81p:/opt/rsa/am>
Note that the webserver-inactive.jks file contains three entries. In this example the alias app81poc is a pending entry. The other two entries are the defaults.
  1. To delete the unwanted alias (in the example app81oc), an administrator can use the keytool utility at the command line, run the following command:
rsaadmin@app81p:/opt/rsa/am> /opt/rsa/am/appserver/jdk/jre/bin/keytool -delete -alias app81poc -keystore /opt/rsa/am/server/security/webserver-inactive.jks
Enter keystore password: <enter the SSL Server Identity Certificate Keystore File Password capture in step 5>

Notes

Verification

  • Log in to the RSA Authentication Manager Operations Console.
  • Navigate to:
    Deployment Configuration > Certificates > Console Certificate Management
  • Confirm that no pending Certificate Signing Requests (CSR) are displayed.

 

Related Articles

Trending Articles

Don't see what you're looking for?