RSA^® Identity Governance & Lifecycle Discussions

VijayabaskarBal · ‎2016-09-21

Customer doesn't want to see the certificate error warning when they login into IG & L.

How to remove this warning which is there in the address bar all the time as enclosed in the screenshot.

MHelmy · ‎2020-02-07

This is now documented in KB article https://community.rsa.com/docs/DOC-45963

EdwinMullie · ‎2016-09-21

The customer has to create / or request a certificate and install that conform the installation documentation (appendix A: Using a Signed Certificate for HTTP Access to RSA Via L&G)

regards

Edwin

VijayabaskarBal · ‎2016-09-21

I have one pfx file from customer to import in IG & L server. Still Should I follow the below steps:

1. Generate a Server Certificate
2. Generate a Certificate Signing Request
3. Import a Trusted Certificate
4. Import a Signed Server's Certificate into the RSA Via L&G Keystore

EdwinMullie · ‎2016-09-21

the pfx should contain the private key for the certificate so you can start at the import part (3 and or 4)

VijayabaskarBal · ‎2016-09-21

I tried with step 3:

Copied the pfx file into the /etc/alternatives/jre_openjdk/lib/security.

Gave a random alias name in the keytool import command. Getting the below errors.

1. Error - Tried with certificate password

2. Error - Tried with documentation password

SashaBrowning · ‎2016-10-07

Certificate management is one of those things that if you make a single mistake, you're better off starting from scratch. If you follow the Installation Guide you'll be golden (in v 6.9, it's chapter 7 on page 48). I think this year I had to do it twice.

I had to install the Root, Intermediate, and signed Server cert (in that order) to the following directories:

/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
/etc/alternatives/jre_openjdk/lib/security

Finally, you'll perform and "acm restart".

A/N: I see that you're also using your IP instead of a shortname/friendly name in your URL, make sure you have a DNS record in place.

VijayabaskarBal · ‎2016-10-09

You are right. I already done this for 3 times, but still no luck. I got the below steps from Support Team.

here are the steps you need to go through:

1. Go to the keystore directory:

cd /home/oracle/keystore

2. Import he root certificate in the new keystore "my.keystore". You will need to replace "root.pem" with the name of the root certificate.

keytool -import -v -trustcacerts -alias root -file root.pem -keystore my.keystore

3. If you have any intermediate certificates, you need to add them to the new keysotre as well. Please replace the "inter.pem" with the name of the intermediate certificate:

keytool -import -v -trustcacerts -alias intermediate -file inter.pem -keystore my.keystore

4. Now, you will need to import the pfx certificate.

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore my.keystore -deststoretype JKS -srcalias alias -destalias server

Please replace the following keywords:

- mypfxfile.pfx: your pfx certificate

- alias: the alias we got from the output of the last command, in your case the alia is 4887e436d7d44b52b90bb3253a6f81

5. Please send me a screenshot from this output before proceeding.

keytool -list -v -keystore my.keystore

6. cp -fp aveksa.keystore aveksa.keystore.ori

7. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:

ls -l *.keystore

8. cp -pr my.keystore aveksa.keystore

9. acm restart

I successfully imported the certificate, but i was unable to access the application itself. I had to rollback immediately.

Something went wrong, I'm not sure what it is.

RonaldRoberts · ‎2016-11-05

I have imported a PFX in the past, for SAS related project, and seen the guid appear as the certificate alias before with success. I manually changed the certificate alias in a separate step described below, but I believe the issue may be the certificate's private key password was not changed to the keystore's password, if the PFX file's password was different than the keystore password. The last command below can help you change it.

RSA Via, by default, looks for a certificate with an alias of "server" The new keystore created in the steps above may not have any certificate with that alias. [The alias and keystore password RSA Via uses can be changed to non-default values in the $AVEKSA_WILDFLY_HOME/standalone/configuration/aveksa-standalone-full.xml and similar files in lines containing "keystore_path"]

Use the following command to receive verbose output of the aveksa.keystore:

cd /home/oracle/keystore;
keytool -v -list -keystore aveksa.keystore;

You should see the certificate imported from the PFX, under the alias with the guid. Under the alias with the guid, you should see "Entry type: PrivateKeyEntry" underneath. You will also see the intermediate certificate(s) listed as Certificate[2]... Certificate[3]. The last certificate will be the root certificate.

Use the following command to rename the cert's alias to "server". Replace <originalalias> with the guid looking alias:

keytool -changealias -alias <originalalias> -destalias server -keystore ./aveksa.keystore;

In addition, the password protecting the private key may not have been changed, to the overall keystore password. Use this command to change the private key password to the same password used to protect the keystore. You will be prompted for the passwords:

cd /home/oracle/keystore;
keytool -keypasswd -alias server -keystore ./aveksa.keystore;

If you import the PFX into a keystore with a "server" alias, you will need to rename the existing server certificate to another alias before renaming the newly imported certificate/key to "server."

VijayabaskarBal · ‎2016-11-06

Thanks Ronald for the input.

I was able to import the certificates that were all needed. In fact, there is an additional certificate which we were required as an intermediate one.

After importing it, It works like charm.

Steps I went through are below:

1. cd /home/oracle/keystore

2. keytool -list -keystore ahgcert.pfx -storetype pkcs12

This is to list the pfx certificate details to get the alias and add it in step 5

3. keytool -import -v -trustcacerts -alias root -file Root.cer -keystore my.keystore -storepass Av3k5a15num83r0n3

4. keytool -import -v -trustcacerts -alias intermediate -file inter.cer -keystore my.keystore -storepass Av3k5a15num83r0n3

5. keytool -importkeystore -srckeystore ahgcert.pfx -srcstoretype pkcs12 -destkeystore my.keystore -deststoretype JKS -srcalias 4887e436d7d44b52b90bb3253a6f8d31 -destalias server -destkeypass Av3k5a15num83r0n3 -deststorepass Av3k5a15num83r0n3

6. keytool -list -keystore my.keystore -storepass Av3k5a15num83r0n3

7. cp -fp aveksa.keystore aveksa.keystore.ori

8. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:

ls -l *.keystore

9. cp -pr my.keystore aveksa.keystore

10. acm restart

This is the clear step by step procedure, you can follow once you get the PFX file from customer.

MHelmy · ‎2020-02-07

This is now documented in KB article https://community.rsa.com/docs/DOC-45963

View solution in original post

RSA® Identity Governance & Lifecycle Discussions

How to remove the Certificate error in the IG & L landing page?

RSA^® Identity Governance & Lifecycle Discussions