This article explains the following two scenarios:
- How to regenerate the deleted Authentication Manager default server certificate.
- How to resolve the following Java exception error that occurs when running the rsautil reset-server-cert command to restore the default console certificate on RSA Authentication Manager:
- Open an SSH session using an SSH client, such as PuTTy, to the RSA Authentication Manager primary server.
- Login as rsaadmin and enter the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to login.
- Go to /opt/rsa/am/utils/.
login as: rsaadmin
Using keyboard-interactive authentication.
Password:<enter operating system password>
Last login: Wed Jun 20 05:24:51 2018 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> cd /opt/rsa/am/utils
- Run the ./rsautil manage-ssl-cert --regen-internal-ca command to regenerate the RSA Authentication Manager default console certificate.
- When prompted, enter the Operations Console administrator username and password:
rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-ssl-cert --regen-internal-ca
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
Manage SSL Certificate Utility 126.96.36.199.0 (1388711)
Copyright (C) 2016 RSA Security Inc. All rights reserved.
Regenerating internal certificate authority and SSL certificates...
Created backup of current keystores at: /opt/rsa/am/server/security/JKS_BACKUP_3472436041899343669
Created primary keystore ZIP: primary-keystores.zip
Copy this file to each Replica instance and run this tool providing this file as the
parameter to the "--keystore-zip" option.
Command completed successfully.
The above command will also create a backup of the current keystores which will be saved to /opt/rsa/am/server/security/JKS_BACKUP_XXXXXXXXXXXXXXXXXXX
- Once these steps are complete, elevate privileges to root and reboot the appliance by issuing the commands below:
rsaadmin@am82p:~> sudo su - root
rsaadmin's password: <enter operating system password>
am82p:/home/rsaadmin # reboot
Broadcast message from root (pts/0) (Wed Jun 20 08:15:08 2018):
The system is going down for reboot NOW!
- Now the Java error will not occur while running the ./rsautil reset-server-cert command.
- After reverting to the default certificate, the expired certificate will be listed as Inactive in the Operations Console under Deployment Configuration > Certificates > Console Certificate Management.