This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

RSA Authentication Manager 8.x services do not start after activating a new console certificate

Article Number

000030659

Applies To

RSA Product Set: SecurID
RSA Product/ Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

  • After importing and activating a new console certificate, the AM services do not start and crash every time you try to start them.

  • Running the rsaserv script to start the services results in the output below:

rsaadmin@am81p:~> cd /opt/rsa/am/server/
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv status all
RSA Database Server                                        [RUNNING]
RSA Administration Server with Operations Console          [RUNNING]
RSA RADIUS Server Operations Console                       [SHUTDOWN]
RSA Runtime Server                                         [SHUTDOWN]
RSA RADIUS Server                                          [SHUTDOWN]
RSA Console Server                                         [SHUTDOWN]
RSA Replication (Primary)                                  [SHUTDOWN]
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv start all
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server:
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: - RSA Database Server          [RUNNING]   *****
RSA RADIUS Server Operations Console                       [FAILED]
Starting RSA Runtime Server: -

  • The following errors are present inside the /opt/rsa/am/server/logs/biztier.log and the /opt/rsa/am/server/logs/radiusoc.log files:

####<Jun 25, 2015 10:09:33 PM EDT> <Error> <Security> <am81p> <biztier> <[ACTIVE] ExecuteThread:
'0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1435284573908> <BEA-090870>
<The realm "rsa" failed to be loaded: weblogic.security.service.SecurityServiceException:
com.bea.common.engine.ServiceInitializationException:weblogic.security.spi.ProviderInitializationException:
A failure occurred attempting to load LDIF for provider Authorizer from file
/opt/rsa/am/appserver/weblogic/server/lib/XACMLAuthorizerInit.ldift..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException:
weblogic.security.spi.ProviderInitializationException:
A failure occurred attempting to load LDIF for provider Authorizer from file
/opt/rsa/am/appserver/weblogic/server/lib/XACMLAuthorizerInit.ldift.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl...
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:879)
    at weblogic.security.SecurityService.start(SecurityService.java:148)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

####<Jun 25, 2015 10:09:33 PM EDT> <Critical> <WebLogicServer> <am81p> <biztier>
<WrapperSimpleAppMain><<WLS Kernel>> <> <> <1435284573924> <BEA-000362> <Server failed. Reason: 
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl....
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl....
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:148)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>

Cause

  • The Microsoft CA server used to sign the Authentication Manager certificate was set up using a CAPolicy.inf file having the attribute AlternateSignatureAlgorithm=1.
  • When AlternateSignatureAlgorithm is set to 1, the CA server signs the certificate using RSASSA-PSS as the signature algorithm instead of sha1RSA.
  • Currently Authentication Manager 8.0 and 8.1 fully support only certificates with Signature algorithm sha1RSA and Signature hash algorithm sha1.
  • The screenshots below show an example of one certificate signed using RSASSA-PSS as the Signature algorithm (services fail after activating this certificate), and another certificate that has sha1RSA as the Signature algorithm (can be activated normally).
Image descriptionImage description     Image descriptionImage description

Resolution

  1. To resolve this issue, login to the Authentication Manager server via SSH or using the vSphere console and run the below commands to revert back to the default self-signed certificate:

    rsaadmin@am81p:~> /opt/rsa/am/utils/rsautil reset-server-cert
    Please enter OC Administrator username: ocadmin
    Please enter OC Administrator password: *********
    Are you sure that you want to reset the following server certificate as the default
    server certificate? Y/N
    CN=am81p.vcloud.local
    : y
    Server certificate successfully reset. Restart all AM services to complete the process.
    rsaadmin@am81p:~> /opt/rsa/am/utils/rsaserv restart all
    Stopping RSA RADIUS Server:
    RSA RADIUS Server                                          [SHUTDOWN]
    Stopping RSA Runtime Server:
    RSA Runtime Server                                         [SHUTDOWN]
    Stopping RSA Console Server:
    RSA Console Server                                         [SHUTDOWN]
    Stopping RSA Replication (Primary):
    RSA Replication (Primary)                                  [SHUTDOWN]
    Stopping RSA Database Server: *
    RSA Database Server                                        [SHUTDOWN]
    Stopping RSA RADIUS Server Operations Console:
    RSA RADIUS Server Operations Console                       [SHUTDOWN]
    Stopping RSA Administration Server with Operations Console: **
    RSA Administration Server with Operations Console          [SHUTDOWN]
    Starting RSA Administration Server with Operations Console:
    Starting RSA Database Server: *************
    RSA Administration Server with Operations Console          [RUNNING]
    Starting RSA RADIUS Server Operations Console: / RSA Database Server         [RUNNING]    *****
    RSA RADIUS Server Operations Console                       [RUNNING]
    Starting RSA Runtime Server: ***************************
    RSA Runtime Server                                         [RUNNING]
    Starting RSA RADIUS Server: **
    RSA RADIUS Server                                          [RUNNING]
    Starting RSA Console Server: *
    Starting RSA Replication (Primary): ***
    RSA Replication (Primary)                                  [RUNNING]*****************
    RSA Console Server                                         [RUNNING]
    rsaadmin@am81p:/opt/rsa/am/server>

  2. After reverting back to the default self-signed certificate, correct the issue with the Certificate Authority by doing the following steps:
    1. On the Microsoft Certificate Authority server, open the registry editor tool (Start Run regedit > Ok).
    2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\caname\CSP\.
    3. On the right panel, double click the key called AlternateSignatureAlgorithm. The value will be set to 1, change it to 0 then save the change.
    4. Now restart the Active Directory Certificate Services service by clicking Start > Administrative Tools > Services. Right click on Active Directory Certificate Services (CertSvc), then click Restart.
    5. Generate a new CSR and sign it again from the CA. It will now be sha1RSA instead of RSASSA-PSS and can be activated without any issues.

Notes

  • Any certificates that were already setup have to be re-issued if you want them to have a sha1RSA Signature Algorithm.
  • Microsoft support should be contacted if further assistance with the CA server settings is required. There are several ways to set the above value to 0 including editing the CAPolicy.inf file or running a PowerShell command.
Tags (63)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:58 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.