Customer doesn't want to see the certificate error warning when they login into IG & L.
How to remove this warning which is there in the address bar all the time as enclosed in the screenshot.
- Community Thread
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
The customer has to create / or request a certificate and install that conform the installation documentation (appendix A: Using a Signed Certificate for HTTP Access to RSA Via L&G)
I have one pfx file from customer to import in IG & L server. Still Should I follow the below steps:
1. Generate a Server Certificate
2. Generate a Certificate Signing Request
3. Import a Trusted Certificate
4. Import a Signed Server's Certificate into the RSA Via L&G Keystore
I tried with step 3:
Copied the pfx file into the /etc/alternatives/jre_openjdk/lib/security.
Gave a random alias name in the keytool import command. Getting the below errors.
1. Error - Tried with certificate password
2. Error - Tried with documentation password
Certificate management is one of those things that if you make a single mistake, you're better off starting from scratch. If you follow the Installation Guide you'll be golden (in v 6.9, it's chapter 7 on page 48). I think this year I had to do it twice.
I had to install the Root, Intermediate, and signed Server cert (in that order) to the following directories:
Finally, you'll perform and "acm restart".
A/N: I see that you're also using your IP instead of a shortname/friendly name in your URL, make sure you have a DNS record in place.
You are right. I already done this for 3 times, but still no luck. I got the below steps from Support Team.
I have imported a PFX in the past, for SAS related project, and seen the guid appear as the certificate alias before with success. I manually changed the certificate alias in a separate step described below, but I believe the issue may be the certificate's private key password was not changed to the keystore's password, if the PFX file's password was different than the keystore password. The last command below can help you change it.
RSA Via, by default, looks for a certificate with an alias of "server" The new keystore created in the steps above may not have any certificate with that alias. [The alias and keystore password RSA Via uses can be changed to non-default values in the $AVEKSA_WILDFLY_HOME/standalone/configuration/aveksa-standalone-full.xml and similar files in lines containing "keystore_path"]
Use the following command to receive verbose output of the aveksa.keystore:
keytool -v -list -keystore aveksa.keystore;
You should see the certificate imported from the PFX, under the alias with the guid. Under the alias with the guid, you should see "Entry type: PrivateKeyEntry" underneath. You will also see the intermediate certificate(s) listed as Certificate... Certificate. The last certificate will be the root certificate.
Use the following command to rename the cert's alias to "server". Replace <originalalias> with the guid looking alias:
keytool -changealias -alias <originalalias> -destalias server -keystore ./aveksa.keystore;
In addition, the password protecting the private key may not have been changed, to the overall keystore password. Use this command to change the private key password to the same password used to protect the keystore. You will be prompted for the passwords:
cd /home/oracle/keystore;keytool -keypasswd -alias server -keystore ./aveksa.keystore;
If you import the PFX into a keystore with a "server" alias, you will need to rename the existing server certificate to another alias before renaming the newly imported certificate/key to "server."
Thanks Ronald for the input.
I was able to import the certificates that were all needed. In fact, there is an additional certificate which we were required as an intermediate one.
After importing it, It works like charm.
Steps I went through are below:
1. cd /home/oracle/keystore