SecurID Access Prime: Replacing SAML Response Certificate of a SAML Identity Provider integrated with the Self-Service Portal
Article Number
Applies To
RSA Product/Service Type: SecurID Access Prime
Issue
Resolution
- Obtain the new certificate used to validate the SAML Responses from the identity provider.
- For each Prime server for which the SAML identity provider is used to access the Self-Service Portal on, do the following:
- Copy the new certificate to the Prime server's /tmp directory.
- Log into the Prime server as the primekit user.
- Navigate to the /opt/rsa/primekit/configs/amis directory.
- Linux: cd /opt/rsa/primekit/configs/amis
- Make a backup copy of the authconfig.xml file in this directory.
- Linux: cp authconfig.xml authconfig.xml.backup
- Edit the authconfig.xml file.
- Linux: vi authconfig.xml
- In the authconfig.xml file, look for the section of text between the <saml> and </saml> tags. This should contain the configuration of the SAML identity provider integrated with Prime. To double check, verify that the URL between the <idpURL> and </idpURL> tags refers to the identity provider from which the new SAML Response certificate was obtained.
- Within the <saml> and </saml> tags, note the values between the following tags:
- <samlJavaKeyStore> and </samlJavaKeyStore> (contains the path to the java keystore that holds the old SAML Response certificate.)
- <samlJavaKeyStorePassword> and </samlJavaKeyStorePassword> (contains the password for the above keystore.)
- Within the same <saml> and </saml> tags, modify the value between the <assertionSignatureValidationCertificateAlias> and </assertionSignatureValidationCertificateAlias> tags so that it is a new unique value. This new value will be used as an alias for the new SAML Response certificate when importing it into the keystore.
- Save the updated authconfig.xml file.
- Import the new SAML Response certificate into the <samlJavaKeyStore> using the new <assertionSignatureValidationCertificateAlias> value.
- Linux: /opt/rsa/primekit/java/latest/bin/keytool -import -alias <assertionSignatureValidationCertificateAlias> -file /tmp/<new SAML Response certificate> -keystore <samlJavaKeyStore>
- Restart the AMIS service.
- Linux: service tomcat-amis restart
- Restart the SSP service.
- Linux: service tomcat-ssp restart
- Test logging into the Prime SSP using the SAML identity provider.
Related Articles
HTTP 404 or HTTP 405 error when using Integrated Windows Authentication (IWA) with the RSA SecurID Access Cloud Authentica… Number of Views Integrate Citrix NetScaler with RSA Authentication Manager 8.x Number of Views Update an existing RSA Cloud Authentication Service Integrated Windows Authentication (IWA) Connector Identity Provider SA… Number of Views After changes in certificate keystore, Help Desk Admin Portal (HDAP) and Self-Service Portal (SSP) consoles not accessible… Number of Views How to integrate multiple Oracle devices into Envision that have same SID Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
