Authentication Manager 8.2, 8.2 SP1, 8.3, 8.4

• After importing and activating a new console certificate, some Authentication Manager failed to start the RSA RADIUS Server Operations Console and RSA Runtime Server services
• Errors in  /opt/rsa/am/server/logs/radiusoc.log include:

2d1290f2ee76-00000001> <1561034153225> <[severity-value: 8] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-090870> <The realm "rsa" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider RoleMapper from file /opt/rsa/am/server/security/XACMLRoleMapperInit.ldift..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: weblogic.security.spi.ProviderInitializationException: A failure occurred attempting to load LDIF for provider RoleMapper from file /opt/rsa/am/server/security/XACMLRoleMapperInit.ldift.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.postInitializeRealm(CommonSecurityServiceManagerDelegateImpl.java:536)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.postLoadRealm(CommonSecurityServiceManagerDelegateImpl.java:861)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.postInitializeRealms(CommonSecurityServiceManagerDelegateImpl.java:982)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.postInitialize(CommonSecurityServiceManagerDelegateImpl.java:1250)
at weblogic.security.service.SecurityServiceManager.postInitialize(SecurityServiceManager.java:586)
at weblogic.security.SecurityService.start(SecurityService.java:130)
at weblogic.server.AbstractServerService.postConstruct(AbstractServerService.java:76)
at sun.reflect.GeneratedMethodAccessor7.invoke(Unknown Source)

The console certificate signature algorithm is sha256ECDSA, which is not supported by RSA. This crashes the server and causes the RSA RADIUS Server service and the Operations Console service to fail to start.
   

To resolve the issue,

1. Change the Signature Algorithm on the CA side to SHA256RSA.
2. Generate new CSR from the RSA Operations Console.
3. Sign the CSR from the CA.
4. Import and activate the certificate on the Operations Console. 
5. After the reboot, SSH to the Authentication Manager server to confirm that the status of the Authentication Manager services and to verify that they are all running.

/opt/rsa/am/server/rsaserv status all

To make sure that services are up and running until signing the certificate, SSH to the Authentication Manager server and run the following commands to revert back to the default self-signed certificate

/opt/rsa/am/utils/rsautil reset-server-cert

When prompted, enter the Operations Console username and password. When done, restart the Authentication Manager services:

/opt/rsa/am/server/rsaserv restart all