How to import CA signed console cert from AM 8.x primary into a new primary with same FQDN
Article Number
Applies To
Issue
1. If the replica does not have a replacement certificate, it will need to trust the primary Root CA replacement cert, by importing it into the replica's trust.jks keystore manually.
2. You can export the original primary replacement certificate into a tmp .jks store, then import that tmp into the new replica that will be promoted and renamed to the original primary name
Tasks
2. import this RootCA into trust.jks on Replica to be promoted
cd /opt/rsa/am/server/security
../../appserver/jdk/bin/keytool -list -alias RootInt22 -keystore ./trust.jks
3. Export console replacement cert from rsaadmin.companyx.local with -alias into tmp.jks - See Resolution
4. Copy/SCP this tmp.jks to replica to be promoted
5. Import tmp.jks console replacement cert for rsaadmin.company.local on replica
6. Verify this cert alias says it can be [activated]
Check Replication Status in Ops Consoles - Good
Initiate RADIUS Replication on Security Console New Primary - Synchronized!
Import Language Packs for new Primary then restart services. REBOOT.
Restart Web Tier Services on Web Tiers
7. Revert orig primary to Default RSA signed console certs - Due to Policy, need IE after this change
8. Promote Replica to Primary for maintenance, either before or after Revert original primary cert
9. Rename original primary in OC, used original name which was still in DNS
DNS updated rsaadmin.company.local to new Primary IP - check local PC ./etc/host for old IP to securidadmin
10. Rename newly promoted primary to rsaadmin.company.local
Updated 1 replica primary's name
11. downloaded new sdconf.rec if needed, should delete sdstatus.12 when replace sdconf.rec on AAWin agents
12. Finally activate console replacement cert in OC of newly promoted primary now named rsaadmin.company.local, may need IE for this. GOOD to Go!
13. Edit Web Tier Preferred instances in Ops Console to point to rsaadmin.company.local
https://mysecurid.company.local/ Web Tier is reachable, prompts Company Self Service logon
14. Updated other replicas to point to new primary's name rsaadmin.company.local
Resolution
Export your rsaadmin2022 primary replacement cert into a .jks file on primary rsaadmin.companyx.local.
SSH primary - 1st get keystore passwords
cd /opt/rsa/am/utils
./rsautil manage-secrets -a list com.rsa.signing.key
find SSL Server Identity Certificate Keystore File Password
example key and file store password
SSL Server Identity Certificate Private Key Password ..: ov7gdbQ9hhlLwrhBCytb8Ue7nik1cb
SSL Server Identity Certificate Keystore File Password : ye7sfZq0DVdMVMFutJoLOB9t0mEcGe
cd ../server/security
cp webserver-inactive.jks webserver-inactive.jks.bak.<date>
../../appserver/jdk/jre/bin/keytool -list -keystore ./webserver-inactive.jks
../../appserver/jdk/jre/bin/keytool -list -alias rsaadmin2022 -keystore ./webserver-inactive.jks
../../appserver/jdk/jre/bin/keytool -list -v -alias rsaadmin2022 -keystore ./webserver-inactive.jks
then 'export' means import into /tmp/__.jks file
../../appserver/jdk/jre/bin/keytool -v -importkeystore -srckeystore ./webserver-inactive.jks -srcalias rsaadmin2022 -destkeystore /tmp/primary22.jks
Note: there is both a file password and a Private key password for the export /tmp/primary22.jks, since the Private key password is from the primary, we will use it as the file password, so they will be the same.
Importing keystore ./webserver-inactive.jks to /tmp/primary22.jks...
Enter destination keystore password: ov7gdbQ9hhlLwrhBCytb8Ue7nik1cb
Re-enter new password: ov7gdbQ9hhlLwrhBCytb8Ue7nik1cb
Enter source keystore password: ye7sfZq0DVdMVMFutJoLOB9t0mEcGe
Enter key password for <rsaadmin2022> ov7gdbQ9hhlLwrhBCytb8Ue7nik1cb
[Storing /tmp/primary22.jks]
5. Import tmp.jks console replacement cert for rsaadmin.company.local on replica
Keystore Password of /tmp/primary22b.jks = ov7gdbQ9hhlLwrhBCytb8Ue7nik1cb = private key pw
Note: same as primary because this data is replicated/shared within a deployment
cd ../server/security
cd /opt/rsa/am/server/security
cp webserver-inactive.jks webserver-inactive.jks.bak.Dec17
../../appserver/jdk/jre/bin/keytool -list -keystore /tmp/primary22b.jks
../../appserver/jdk/jre/bin/keytool -list -v -keystore /tmp/primary22b.jks
../../appserver/jdk/jre/bin/keytool -list -keystore ./webserver-inactive.jks
../../appserver/jdk/jre/bin/keytool -v -importkeystore -srckeystore /tmp/primary22b.jks -srcalias rsaadmin2022 -destkeystore ./webserver-inactive.jks
Check the keystore again to see the extra entiry
../../appserver/jdk/jre/bin/keytool -list -keystore ./webserver-inactive.jks
6. Verify this cert alias says it can be [activated]
At this point, you can
- promote the replica for maintenance
- revert the Certificate on the original (now-demoted) primary
- rename original primary
- rename new primary to original primary name, rsaadmin.company.local
- activate the replacement cert on the new primary
