This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

RSA Authentication Manager 8.x Web Tier is not listening on TCP port 443

Article Number

000030264

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x Web Tier

Issue

Web tier not listening for the correct port 443 not on the list issue a net stack command active connections. Web Tier AdminServer.log shows.  
<Error> <WebLogicServer> <ShortName> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default 
(self-tuning)'> <<WLS Kernel>> <> <> <1431553005608> <BEA-000297> <Inconsistent security configuration, 
weblogic.management.configuration.ConfigurationException: Identity certificate has expired: [
  Version: V3
  Serial Number: 
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: SERIALNUMBER=17963287, CN=Go Daddy Secure Certification Authority, 
OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Validity From: Fri Apr 20 17:30:38 EDT 2012
           To:   Sat Apr 18 20:48:30 EDT 2015
  Subject Name: CN=*.'domain'.com, OU=Domain Control Validated, O=*.'domain'.com
  Key: RSA (1.2.840.113549.1.1.1)
    Key value: ...

<Emergency> <Security> <ShortName> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default 
(self-tuning)'> <<WLS Kernel>> <> <> <1431553005686> <BEA-090034> <Not listening for SSL, 
java.io.IOException: Identity certificate has expired: [
  Version: V3
  Serial Number: 22155402301514726
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: SERIALNUMBER=17963287, CN=Go Daddy Secure Certification Authority, 
OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Validity From: Fri Apr 20 17:30:38 EDT 2012
           To:   Sat Apr 18 20:48:30 EDT 2015
  Subject Name: CN=*.'domain'.com, OU=Domain Control Validated, O=*.'domain'.com

While Authentication Manager imsTrace.log shows. 
@@@2015-05-13 17:34:15,108, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], 
(EJBRemoteTarget.java:302), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, ShortName.'domain'.com,,,,
Attempting downgraded connection protocol to EJB/2.1. 
@@@2015-05-13 17:34:26,030, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], 
(EJBRemoteTarget.java:316), trace.com.rsa.command.EJBRemoteTargetBase, ERROR, ShortName.'domain'.com,,,,
Unable to connect to downgraded EJB/2.1 command server.null

Cause

The virtual host certificate is expired, and secondarily Wild Card Certificates are not supported.

Resolution

Replace the expired Certificate.  RSA recommends not to use a Wildcard Certificate, which is to request a Device Certificate with a CSR for the specific Fully Qualified Domain Name of this server.  The Common Name, CN should equal the FQDN.

Or revert back to the original RSA self-signed Certificate, by activating it in the operations console.
Image descriptionImage description
 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-07-22 08:16 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.