SecurID^® Discussions

David · ‎2019-02-07

Hi Folks !

Planning to have my appliances replaced by new ones, I need to export the current in-place certificates (console & virtual host) ?

I have the JKS webserver-identity.jks, and tried to export into p12 format, but now I can't import it back into the OC of my freshly installed appliance.

It complains about the password, but I'm sure it's the right one.

Does anyone know what the problem could be ?

Kind Regards,

David

JayGuillette · ‎2019-02-07

The /opt/rsa/am/server/logs/ops-console.log should have the reason, which is not that you did not type the correct password but probably something like the password was encrypted with RC2 so is not FIPS compliant.

When you exported the Cert as a P12 per our instructions, https://community.rsa.com/docs/DOC-46842 you need the private key password which will be included in the P12. The default settings encrypt the private key password with RC2, which is the likely cause of your problem, and documented in this KB, 000034200 - Importing an SSL console certificate PKCS#12 file to the RSA Authentication Manager 8.2 Operations Console f…

So if this is your problem (check the ops-console.log) you need a way to encrypt the private key with a FIPS compliant cipher.
The work-around in the 34200 KB has some syntax for manipulating the P12 with openssl, but Key explore probably also allows for this.

JayGuillette · ‎2019-02-07

This KB 000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file uses keytool to export the certificate and key pair, so there should be a way to have the private key encrypted with a FIPS compliant cipher

The Keystore explorer web site has release notes, but I did not see FAQs or Support forum.

KeyStore Explorer - Release Notes

JayGuillette · ‎2019-02-07

one more thing to check, when you export, the destination password must be the SSL Server Identity Certificate Private Key Password, because when you import a PKCS#12 in the Ops Console, you only get to enter one password, which is used twice, first for the file and second for the private key

David · ‎2019-02-07

Hi Jay !

Thanks for feedback on my issue.

I just read all the KB you mentioned in your answers.

And mainly the very last point dealing with the passwords.

I'm going to put it all together and give it a new try.

I have to write the precise sequence, from the JKS file, till the restore in the new Appliance Operation Console.

I'll give you feedback then !

Thanks very much for helping and clues !

As suggested, I tailed the /opt/rsa/am/server/logs/ops-console.log file while importing, and :

@@@2019-02-07 16:10:02,007 ERROR [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] GUILog.traceException(587) | exception:
com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
at com.rsa.ims.security.tools.ssl.ImportSSLCertConsoleHelper.importP12File(ImportSSLCertConsoleHelper.java:573)
at com.rsa.ims.web.operationsconsole.action.ConsoleCertManagementAction.importCert(ConsoleCertManagementAction.java:668)

Kind Regards,

David

David · ‎2019-02-08

Hi Jay !

Putting all this together this morning before proceeding on my appliances, I can read on KB 000032627 - How to export RSA Authentication Manager 8.0 and 8.1 Web Tier Virtual Host Key Pair to a PFX file that :

NOTE: This solution does not work in Authentication Manager 8.2. This article will be updated at at later date.

So as I am in AM 8.3, I'm wondering if I shall proceed or if you know where I can find the updated version for AM 8.3 ?

Kind Regards,

David

David · ‎2019-02-08

Just tried those :

[DEV] root@s00: ~/certs $ keytool -v -importkeystore -srckeystore webserver-identity-s70.jks -srcalias server_identity_key -destkeystore s70.jks
Importing keystore webserver-identity-s70.jks to s70.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Enter key password for <server_identity_key>
[Storing s70.jks]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore s70.jks -destkeystore s70.jks -deststoretype pkcs12".

----

[DEV] root@s00: ~/certs $ keytool -v -importkeystore -srckeystore s70.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore s70-keypair.pfx
Importing keystore s70.jks to s70-keypair.pfx...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias server_identity_key successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing s70-keypair.pfx]

After that, still not able to import the cert :

@@@2019-02-08 09:42:20,423 ERROR [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] GUILog.traceException(587) | exception:
com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
at com.rsa.ims.security.tools.ssl.ImportSSLCertConsoleHelper.importP12File(ImportSSLCertConsoleHelper.java:573)

Kind Regards,

David

SecurID^® Discussions

How to export console certificate for importing to new appliance ?

Integrations

SecurID® Discussions

How to export console certificate for importing to new appliance ?

Integrations

SecurID^® Discussions