Error "Unable to retrieve the certificate" on RSA Authentication Manager 8.6 when registering with Cloud Authentication Service
Originally Published: 2021-11-23
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6
Issue
Unable to retrieve the certificate
imsTrace.log in directory /opt/rsa/am/server/logs captures the error below.
2021-11-20 17:28:47,961, [[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'], (CASApiAdminOperationsImpl.java:253), trace.com.rsa.internal.admin.casapimgmt.impl.CASApiAdminOperationsImpl, FATAL, bharatham86.vcloud.local,,,,SSL Exception
javax.net.ssl.SSLPeerUnverifiedException: Hostname access-demo.securid.com not verified
Cause
Reason behind the error from 8.5 patch 5 upgrade to 8.6 is that AM 8.5 Patch 5 has database and java code changes to support multiple domain names for Cloud Authentication Service while earlier versions did not support.
While RSA Authentication Manager is updated to 8.6 from version 8.5 patch 5, "access-demo.securid.com" URL cannot be used because database has both "securid.com, securidgov.com" values for domain names but java code supports only one value. So server reads the domain name as 'securid.com, securidgov.com' as on value instead of 2 different domain names.
Resolution
Workaround
- Ensure that SSH access is enabled on the primary. Check this by logging on to the Operations Console and selecting Administration > Operating System Access.
- Log out of the Operations Console for the primary and all replicas.
- Open an SSH session on the Authentication Manager primary.
- Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
- Run the commands in bold to capture the com.rsa.db.dba.password, shown below. On this server, the value is rSKD5bGguLGNL9uGvFWnJoxIcHJah2 but will be different in your deployment of Authentication Manager.
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter OS password> Last login: Mon Nov 22 09:15:33 2021 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@bharatham86:~> cd /opt/rsa/am/utils rsaadmin@bharatham86:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password Please enter OC Administrator username: <enter Operations Console admin's name> Please enter OC Administrator password: <enter Operations Console admin's password> com.rsa.db.dba.password: rSKD5bGguLGNL9uGvFWnJoxIcHJah2 rsaadmin@bharatham86:/opt/rsa/am/utils> cd ../pgsql/bin rsaadmin@bharatham86:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba Password for user rsa_dba: <enter the com.rsa.db.dba.password captured above> psql.bin (9.2.4) SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Type "help" for help.
- From the db# prompt, run the following UPDATE command: (If connecting to securidgov.com, update command is as mentioned in notes section)
db=# UPDATE rsa_rep.ims_config_value set value = 'securid.com' WHERE name='auth_manager.cas.authentication.domain.name'; UPDATE 1
- When done, Restart the Authentication Manager services on Primary followed by the replicas to honor the database changes above.
Notes
UPDATE rsa_rep.ims_config_value set value = 'securidgov.com' WHERE name='auth_manager.cas.authentication.domain.name';
