How to manage RSA Authentication Manager console and virtual host certificates with keytool
2 months ago
Originally Published: 2024-01-31
Article Number
000071953
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: 8.x
Issue
Console Certs OC
AM console, web tier and SDK app trust certificates are stored in .jks files in
/opt/rsa/am/server/security/

AM Console Certificates are in webserver-inactive.jks
Web Tier Virtual Host Certificates are in vh-inactive.jks
AM Prime Cert is in <AMIS install directory>/primekit/certificates/truststore.jks

There are two versions of each .jks, an inactive version that you can edit with keytool, and an active version that is created when you Click on the [Activate] drop-down/button in the Operations Console.
  • When you import a certificate through the Operations console, it is imported into the inactive.jks
  • When you generate a CSR, you create your public/private key pair, and place the public key in the CSR signing request file, but keep the primary key in the local inactive.jks file. That is why no password is needed on this type of CSR, as there is no private key in it.
RSA only allows 1 active console cert or 1 active Virtual Host certificate, which is copied into the webserver-active.jks or the vh-active.jks
OC-Deploy-Certs-VH-Manage
Do not edit the active version with keytool and always make a backup copy of the inactive version before you edit it (every time you edit it!).

cd /opt/rsa/am/server/security/
cp webserver-inactive.jks webserver-inactive.jks.bak<date>
cp vh-inactive.jks vh-inactive.jks.bak<date>

 
Tasks
1. Obtain the .jks keystore password with /opt/rsa/am/utils/rsautil manage-secrets -a listall

2. Make a backup copy of the inactive version; webserver-inactive.jks or vh-inactive.jks in the /opt/rsa/am/server/security/ directory.

3. A copy of keytool on AM servers is in
/opt/rsa/am/appserver/jdk/jre/bin/keytool
KBs like the one above use relative directory references to keytool and local working directory for .jks file locations
 
Resolution
You DO NOT need the .jks password to list or look at a .jks keystore, but you do need the password to delete, import or change. After you get the keystore password, test it with a list command.

1. How to get .jks file password
cd /opt/rsa/am/utils.
./rsautil manage-secrets -a listall
rsautil_manage-secrets_listall2
or
/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key

2. Make a backup copy of the inactive version; webserver-inactive.jks or vh-inactive.jks in the /opt/rsa/am/server/security/ directory.
    cd /opt/rsa/am/server/security/
    cp webserver-inactive.jks webserver-inactive.jks.back_Jan31_2024
    cp vh-inactive.jks vh-inactive.jks.back_Jan31_2024

3. Keytool is in /opt/rsa/am/appserver/jdk/jre/bin/keytool
Relative directory reference to keytool from .jks directory  is ../../appserver/jdk/jre/bin/keytool
      
List all AM console certs and keys  
../../appserver/jdk/jre/bin/keytool -list -keystore ./webserver-inactive.jks
Enter keystore password: <enter Host Certificate Private Key Password from above>
List AM console cert with rsaserv2023 alias
../../appserver/jdk/jre/bin/keytool -list -alias rsaserv2023 -keystore ./webserver-inactive.jks
List AM console cert with rsaserv2023 alias in verbose mode
../../appserver/jdk/jre/bin/keytool -list -alias rsaserv2023 -v -keystore ./webserver-inactive.jks


Delete an old CSR (Cert signing request)
When the list -alias shows you the CSR you want to delete, use the up arrow and change -list to -delete
  ../../appserver/jdk/jre/bin/keytool -list -alias rsaserv2020 -keystore ./webserver-inactive.jks
  ../../appserver/jdk/jre/bin/keytool -delete -alias rsaserv2020 -keystore ./webserver-inactive.jks

AM Prime example of importing new Root_CA cert into AMIS truststore.jks

/opt/rsa/am/appserver/jdk/bin/keytool -v -importcert -alias amisvip2022 -file ./root_<company>_com.crt -deststoretype JKS -destkeystore ./truststore.jks

You will be prompted for the password for truststore.jks
This keytool command imported a Public Root CA cert from an F5 Load Balancer in front of a pair of AMIS SSP servers.

Related KBs
Replica promotion for maintenance fails with certificate not verified error in RSA Authentication Manager 8.4
https://community.rsa.com/s/article/Replica-promotion-for-maintenance-fails-with-certificate-not-verified-error-in-RSA-Authentication-Manager-8-4

How to import a Root CA or public key Certificate into an Authentication Manager (or AMIS) java key store .jks with keytool
https://community.rsa.com/s/article/How-to-import-a-Root-CA-or-public-key-Certificate-into-an-Authentication-Manager-or-AMIS-java-key-store-jks-with-keytool
e.g. import into AMIS keystore
/opt/rsa/am/appserver/jdk/bin/keytool -v -importcert -alias amisvip2022 -file ./root_<company>_com.crt -deststoretype JKS -destkeystore ./truststore.jks
 
Notes
Do not edit the active .jks file version with keytool and always make a backup copy of the inactive version before you edit it (every time you edit it!).

You can make a copy of any .jks and use it to practice with keytool. There are GUI versions on keytool that you might find easier to use, but conceptually keytool works fine and is a good way to 'see' what you are doing while you learn.

Trusted application certs are in trust.jks. There is only one jks for this, no active and inactive versions. The trust.jks stores certs from connections to:
  • AMIS AM Prime,
  • Custom applications that use the AM Admin SDK,
  • Trusted (Cross) Realm connections to other AM Primaries
  • and if your primary has a replacement console cert but your replicas do not (to save $), in order for Promotion for Maintenance to work, the replica needs to trust the Primary console replacement Root CA cert, which would need to be imported into the replica's trust.jks

 

Related Articles

Trending Articles

Don't see what you're looking for?