For DLP 8.5 and greater, please see KB article a63414
Seeing certificate expired (September 20th, 2010) warning on the browser when attempting to login to Enterprise Manager
Not seeing Events or Incidents generated on the Enterprise Manager
Seeing "audit.zip" and "event.zip" files queued up on the Network Controller's /opt/rsa/controller/audit/smtp and /opt/rsa/controller/em/events directories respectively
Example of error seen in the /var/log/messages file:
Sep 22 07:39:49 sfldtablusct Monitor[4653]: 2010-09-22 06:39:49.350Z INFO TAB-0001 Controller Monitor ProcessMonitorThread-emconnector MONITOR ERROR - HttpChannel.sendViaClient(144) | javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Mon Sep 20 07:48:29 BST 2010
Setting or Updating the Distinguished Name of and Creating or Renewing the Self-signed SSL Certificate for Enterprise Manager
The following steps are required:
1. Stop the EM Service
2. Backup the existing keystore
3. Determine the key-store and key passwords
4. Create the new certificate
5. Start the EM Service
6. Check the new certificate
7. Remove the backed up certificate store
For all these steps, the operator must be logged in to the EM host with appropriate rights.
Ensure that there are no active EM users.
Using the 'Services' MMC plugin, stop the RSA DLP Enterprise Manager.
In the directory:
%PROGRAM_FILES%\RSA\Enterprise Manager\etc
the key-store file is called:
tem-keystore
Make sure to preserve that file, e.g., using:
xcopy /b tem-keystore tem-keystore.old
This file can be used to undo the change in the credential.
Examine the file:
%PROGRAM_FILES%\RSA\Enterprise Manager\etc\tem-jetty.xml
This file contains entries for that indicate the key-store and key passwords required when installing the certificate.
They can be found in sections that look like this:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="handshakeTimeout">2000</Set>
<Set name="keystore">
<SystemProperty name="jetty.home" default="." />
/etc/tem-keystore
</Set>
<Set name="password">tablusem</Set>
<Set name="keyPassword">tablusem</Set>
<Set name="truststore">
<SystemProperty name="jetty.home" default="." />
/etc/tem-keystore
</Set>
<Set name="trustPassword">tablusem</Set>
<Set name="handshakeTimeout">2000</Set>
</New>
</Arg>
</Call>
Note the "keyPassword" and "password" nodes.
These contain the values you will need in the next step for the -storepass and -keypass parameters respectively.
By default both passwords are set to "tablusem"
Open a command prompt window and change to the following directory:
%PROGRAM_FILES%\RSA\Enterprise Manager\etc\
Remove the previous credential with the following command:
..\..\JRE\bin\keytool.exe -delete -alias jetty -keystore tem-keystore -storepass pw-in-xml
Where:
? the -storepass parameter (place-holder pw-in-xml) match the passwords determined in the previous step.
Create the new certificate with the following command:
..\..\JRE\bin\keytool.exe -genkey -v -alias jetty -dname "CN=host-dns" -validity days -keypass pw-in-xml -keystore tem-keystore -storepass pw-in-xml
Where:
? the place-holder host-dns is replaced with the name of the Enterprise Manager host (as used in the URL)
? the -storepass and -keypass parameters (place-holder pw-in-xml) match the passwords determined in the previous step.
? the placeholder days is the duration of validity for the certificate (the length of time before it needs to be updated): usually 1 year specified as 365
Again using the "Services" MMC plug-in, start the EM service.
Ensure that EM is running correctly, that HTTPS connections are accepted and that you can log in.
Because you have created a self-signed certificate, it will not be 'trusted' by browsers, this is the disadvantage of using a self-signed certificate rather than a certificate generated by a Certificate Authority. It is possible to follow the browser's instructions for 'installing' the certificate so that it is trusted in the future, but you must understand the overall security implications of installing (trusting) any certificates as they relate to your browser and operating system.
If there are issues, it is possible to restore the tem-keystore file with the backup copy created earlier.
Once EM is demonstrated to be correctly functioning, be sure and to remove the tem-certstore.bak file if created above because it is important that this file not be confused with the new file in the future.
For rebuilding the SSL certifcate on the DLP Network devices, please refer to solution a40781
Related Articles
Unable to renew certificate after clicking on a link to auto-renew-certificate.xuda page in email notification Number of Views How to renew the Self-signed Certificate for Virtual Host Management Number of Views How to renew SSL server certificates with RSA Certificate Manager Number of Views DLP How to renew Enterprise Manager self signed certifcate Number of Views How to renew a user certificate that is about to expire Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
