This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to manually update the internal SHA-1 certificates used by earlier versions of Authentication Manager after upgrading to RSA Authentication Manager 8.2

Article Number

000033356

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
 

Issue

Quick Setup generates internal SHA-256 certificates by default for communication between RSA Authentication Manager 8.2 components, such as primary and replica instances and the web tier.
The SHA-256 digital certificates uses the “SHA256withRSA” digital signature algorithm. The upgrade to RSA Authentication Manager 8.2 does not update the internal SHA-1 certificates used by earlier versions of Authentication Manager.

If your organization has policies that require you to use SHA-256 certificates for all network connections, you can run a command-line utility that upgrades the internal certificates to SHA-256.

Task

To upgrade the certificates, you must run the utility on the primary instance and each replica instance.
If your deployment includes a web tier, you must re-install the web tier and re-enable the virtual host.
You must generate and distribute new configuration files to any IPv4/IPv6 authentication agents or custom agents that were created with the RSA Authentication Agent API 8.5 or later for C or the RSA Authentication Agent API 8.5 or later for Java.
You might also need to add the new certificates to the list of trusted CAs for your web browser and to any Authentication Manager administrative SDK connections

Resolution

Before You Begin:

• You must be an Operations Console Administrator.
• Obtain the rsaadmin operating system password for the primary instance and each replica instance.
• Secure shell (SSH) must be enabled on every appliance in your deployment.


Procedure​:

1. Launch the SSH client, and connect to the primary instance using the IP address or fully qualified hostname.

2. When prompted, type the operating system User ID, rsaadmin, and press ENTER.

3. When prompted, type the password for the rsaadmin operating system account, and press ENTER.

4. Change directories to /opt/rsa/am/utils. Type:
cd /opt/rsa/am/utils/
and press ENTER.

5. Run manage-ssl-cert to upgrade the certificates to SHA-256. Type:
./rsautil manage-ssl-cert --regen-internal-ca

6. When prompted, enter your Operations Console administrator User ID, and press ENTER.

7. When prompted, enter your Operations Console administrator password, and press ENTER.
When the internal certificates have been upgraded to SHA-256, the following message appears:
Created backup of current keystores at:
/opt/rsa/am/server/security/JKS_BACKUP_number
Customer-provided SSL certificates were retained.
Created primary keystore ZIP: primary-keystores.zip Command completed successfully.
where number is a uniquely generated value

8. Copy the primary-keystores.zip file to the /opt/rsa/am/utils directory on each replica instance in your deployment. For example, use Secure FTP.

9. Restart the primary instance for the changes to take effect. Do the following:
a. Change the directory. Type cd /opt/rsa/am/server and press ENTER.
b. Type ./rsaserv restart all and press ENTER.

10. On the primary instance, close the SSH client. Type exit and press ENTER.

11. You must now upgrade the certificates on each replica instance. Launch the SSH client, and connect to the replica instance using the IP address or fully qualified hostname.

12. When prompted, type the operating system User ID, rsaadmin, and press ENTER.

13. When prompted, type the password for the rsaadmin operating system account, and press ENTER.

14. Change directories to /opt/rsa/am/utils. Type:
cd /opt/rsa/am/utils/
and press ENTER.

15. Run manage-ssl-cert to upgrade the certificates to SHA-256. On a replica instance this command uses the --keystore option to pass the name of the primary-keystores.zip file. Type:
./rsautil manage-ssl-cert --regen-internal-ca --keystore-zip primary-keystores.zip

16. When prompted, enter your Operations Console administrator User ID, and press ENTER.

17. When prompted, enter your Operations Console administrator password, and press ENTER.
When the internal certificates have been upgraded to SHA-256, the following message appears:
Created backup of current keystores at:
/opt/rsa/am/server/security/JKS_BACKUP_number
Command completed successfully.
where number is a uniquely generated value.

18. Restart the replica instance for the changes to take effect. Do the following:
a. Change the directory. Type cd /opt/rsa/am/server and press ENTER.
b. Type ./rsaserv restart all and press ENTER.

19. On the replica instance, close the SSH client. Type exit and press ENTER.

20. Repeat step 11 through step 19 for each replica instance.
 

Notes

see documentation including 

TLS12UpdateGuide.pdf

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 10:38 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.