How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2020-01-05
Article Number
000064885
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
 
Issue
AFX Servers and remote collection agents communicate securely through the server.keystore and the client.keystore. The RSA Identity Governance & Lifecycle application is the server and each AFX Server and remote collection agent is the client. These keystores are saved in the oracle database and on the  linux file system. These certificates can get out of sync with each other which can cause AFX and remote collection agents to fail.

This article explains how to update the RSA Identity Governance & Lifecycle root (server) certificate and corresponding client certificates for use with AFX and remote collection agents. Some examples of when you might want to do this are: NOTE:  For instructions on how to generate and install new RSA Identity Governance & Lifecycle certificates on WebSphere and WebLogic, see the sections entitled Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle Components under the respective WebSphere or WebLogic Installation sections in the RSA Identity Governance & Lifecycle Installation Guide for your specific RSA Identity Governance & Lifecycle version.
 
Resolution
The process to regenerate new certificates is:
  1. Update the server certificate.
  2. Update each AFX Server client certificate.
  3. Update each remote collection agent client certificate (if you use remote agents.)
NOTES:
  • AFX and remote agents will not be running until this entire process is completed. Therefore, do this at a time when the system is quiet.
  • The server certificate (first step) does not always need to be regenerated. Sometimes just downloading the server and client keystores is sufficient as long as their fingerprints match. Sometimes only the client certificate needs to be regenerated. Once regenerated, both the server and client keystores may be downloaded and their fingerprints checked. The complete process is to regenerate both the server and client keystores and that is what article describes.


Update the server certificate

  1. In the RSA Identity Governance & Lifecycle user interface go to Admin > System > Security tab.
  2. Under Server Certificate Store for Agent SSL Connections: click the Change Certificate Store button.

User-added image

 

You will see the following dialog message. Click OK to generate the new server certificate. 

User-added image

  1. Click the Download button and save the server.keystore to a location on your computer.
 
User-added image
 
  1. Login to the application server as the oracle user.
  2. Download the new server.keystore to your RSA Identity Governance & Lifecycle application server. In this example the keystore file was downloaded to $AVEKSA_HOME (/home/oracle).
  3. Go to the keystore directory
cd $AVEKSA_HOME/keystore
  1. Backup the existing server.keystore.
mv server.keystore server.keystore.bak
  1. Replace the existing server.keystore with the new server.keystore file that was just downloaded.
mv $AVEKSA_HOME/server.keystore $AVEKSA_HOME/keystore
  1. Restart RSA Identity Governance & Lifecycle.
acm restart
 

Update each AFX Server client certificate

Update the AFX server client certificate for each AFX Server by updating the client.keystore and restarting the AFX and RSA Identity Governance & Lifecycle applications.

  1. In the RSA Identity Governance & Lifecycle user interface go to AFX > Servers.
  2. For each AFX Server, click on the AFX Server name.
  3. Click the Change Certificate button. This action generates a new client certificate based off the new server certificate just generated and ensures the client certificate stored in the database matches the server certificate stored in the database.

User-added image

You will see the following dialog message. Click OK to generate the new client certificate.

User-added image

  1. Click the Download Keystore button and save the client.keystore to a location on your computer.

User-added image

  1. Login to the application server where AFX is installed as the afx user.
  2. Download the new client.keystore to your RSA Identity Governance & Lifecycle AFX server. In this example the keystore file was downloaded to $AVEKSA_HOME (/home/oracle).
  3. Go to the keystore directory.
cd $AFX_HOME/esb/conf
  1. Backup the existing client.keystore.
mv client.keystore client.keystore.bak
  1. Replace the existing client.keystore with the new client.keystore file that was just downloaded.
mv $AVEKSA_HOME/client.keystore $AFX_HOME/esb/conf
  1. Restart AFX and the RSA Identity Governance & Lifecycle application.
afx stop
acm restart
afx start



Update each remote collection agent client certificate

  1. In the RSA Identity Governance & Lifecycle user interface go to Collectors > Agents.
  2. For each remote agent (not the default local AveksaAgent), click on the remote agent name.
  3. Click the Change Certificate button. This action generates a new client certificate based off the new server certificate just generated and ensures the client certificate stored in the database matches the server certificate stored in the database.
User-added image
You will see the following dialog message. Click OK to generate the new server certificate.
 
User-added image
  1. Click the Download Agent button to download a new agent with the new certificate in a zip file called AveksaAgent.zip.
User-added image
 
  1. Login to the remote server that has the remote agent as user oracle.
  2. Download the new AveksaAgent.zip to the remote server. In this example, the zip file was downloaded to /home/oracle.
  3. Stop the agent by running agent_stop.sh in the AveksaAgent/bin directory, as follows:
cd home/oracle/AveksaAgent/bin
./agent_stop.sh
  1. Backup the agent directory.
cd /home/oracle
mv <agent-directory> <agent-directory.bak>
  1. Unzip the agent on the remote server where it runs (replacing the old one).
unzip AveksaAgent.zip
  1. Start the agent by running agent_start.sh in the AveksaAgent/bin directory, as follows:
cd home/oracle/AveksaAgent/bin
./agent_start.sh

 
Notes
The steps in this article ensure that the versions of the client and server certificates in the database and on the file system have the same fingerprints. To check that the keystores have the same fingerprints, you can do the following:
  1. Check the server.keystore:
su oracle
cd $AVEKSA_HOME/keystore
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore server.keystore -alias aveksa_ca
  1. Check the client.keystore for the AFX Server(s).
su {afxuser}
cd $AFX_HOME/esb/conf 
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore client.keystore -alias aveksa_ca
  1. Check the client.keystore for the remote collection agent(s).
su oracle
cd /home/oracle/AveksaAgent/conf 
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore client.keystore -alias aveksa_ca
  1. Look for the output below and ensure the fingerprints are the same for the server.keystore and the client.keystore. If they differ, repeat the steps in this article.
Certificate fingerprints:
         MD5:  20:C5:53:B6:54:E6:E9:1A:82:C4:B9:03:73:56:CE:BC
         SHA1: DF:8F:78:72:79:36:F0:9C:B8:63:89:CA:10:C6:A9:90:06:1A:64:1D
         SHA256: CB:8B:88:AA:FA:A5:A1:17:31:4A:90:FF:7B:0C:F8:8E:97:AD:0D:84:85:1A:D8:37:BD:2A:8A:94:8A:34:CE:26
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key

 

Related Articles

Trending Articles

Don't see what you're looking for?