This article explains the following two scenarios:
How to regenerate the deleted Authentication Manager default server certificate.
How to resolve the following Java exception error that occurs when running the rsautil reset-server-cert command to restore the default console certificate on RSA Authentication Manager:
Open an SSH session using an SSH client, such as PuTTy, to the RSA Authentication Manager primary server.
Login as rsaadmin and enter the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
Go to /opt/rsa/am/utils/.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
Run the ./rsautil manage-ssl-cert --regen-internal-ca command to regenerate the RSA Authentication Manager default console certificate.
When prompted, enter the Operations Console administrator username and password:
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-ssl-cert --regen-internal-ca
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
Manage SSL Certificate Utility 22.214.171.124.0 (1388711)
Copyright (C) 2016 RSA Security Inc. All rights reserved.
Regenerating internal certificate authority and SSL certificates...
Created backup of current keystores at: /opt/rsa/am/server/security/JKS_BACKUP_3472436041899343669
Created primary keystore ZIP: primary-keystores.zip
Copy this file to each Replica instance and run this tool providing this file as the
parameter to the "--keystore-zip" option.
Command completed successfully.
The above command will also create a backup of the current keystores which will be saved to /opt/rsa/am/server/security/JKS_BACKUP_XXXXXXXXXXXXXXXXXXX
Once these steps are complete, elevate privileges to root and reboot the appliance by issuing the commands below:
rsaadmin@am82p:~> sudo su - root
rsaadmin's password: <enter operating system password>
am82p:/home/rsaadmin # reboot
Broadcast message from root (pts/0) (Wed Jun 20 08:15:08 2018):
The system is going down for reboot NOW!
Now the Java error will not occur while running the ./rsautil reset-server-cert command.
After reverting to the default certificate, the expired certificate will be listed as Inactive in the Operations Console under Deployment Configuration > Certificates > Console Certificate Management.