SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000037195
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
Issue
A backup was restored into an Authentication Manager primary instance from another Authentication Manager deployment and the Operations Console reports the following message when retrieving the virtual host certificates.
Error retrieving Virtual Host Certificate list
:
Image description
This same message is also seen when creating a web-tier package via the Operations Console.
Error retrieving Virtual Host Certificate list
Image descriptionCause
Restoring a backup into a new Authentication Manager primary instance has an impact on the virtual host certificate retrieval which is currently under investigation by RSA.
The virtual host certificates are stored in a Java KeyStore (JKS) file and this file is password protected. On the restored Authentication Manager primary instance the cached password for the JKS file does not match the password of the restored JKS file containing the virtual host certificates hence the error reported Error retrieving Virtual Host Certificate list.
The virtual host certificates are stored in a Java KeyStore (JKS) file and this file is password protected. On the restored Authentication Manager primary instance the cached password for the JKS file does not match the password of the restored JKS file containing the virtual host certificates hence the error reported Error retrieving Virtual Host Certificate list.
Workaround
As a workaround you can follow these steps below to update the password of the restored JKS file to match the Authentication Manager primary instance cached password.
You will be prompted to enter a keystore password This is the SSL Server Identity Certificate Keystore File Password obtained in step 4. The SSL Server Identity Certificate Keystore File Password is expected to fail with the following message:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Add the -v parameter for verbose output (e. g., /opt/rsa/am/appserver/jdk/jre/bin/keytool -list –v -keystore /opt/rsa/am/server/security/vh-inactive.jks):
The output without verbose will be as follows:
rsaadmin@am84:/opt/rsa/am/utils> /opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
- If you have not done so already, enable Secure Shell access to the command line.
- Logon to the command line using the rsaadmin account credentials.
Note that during Quick Setup another user name may have been selected. Use that user name to login. This password would have been entered by the installer of the Authentication Manager instance, so this password is not known by RSA Customer Support.
- At the command line navigate to the /opt/rsa/am/utils directory:
cd /opt/rsa/am/utils
- Obtain the signing keys (passwords) for the JKS file. You will require the Operations Console username and password for this command.
rsaadmin@am84:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter Operations Console administrator user name>
Please enter OC Administrator password: <enter Operations Console administrator password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_inqqjwar
Command API Client User Password ......................: p8nlbxIVrc5xOqUNsWmBJPDQBtkT0k
SSL Server Identity Certificate Private Key Password ..: M8d8BgPMr7shYNramlONcfFaGZ6zhC
SSL Server Identity Certificate Keystore File Password : dtWbhw7nBN0ZcR6HALWaRU5qvwXjc0
Root Certificate Private Key Password .................: o4xiE057EwAUMyZaJ3Mcp1vdhOEpQB
Root Certificate Keystore File Password ...............: zF0aNSs7RNDT7U9kfZY7c0aTl6N5BH
The "listkeys" action displays the key names to use when setting the values.
rsaadmin@am84:/opt/rsa/am/utils>
Please enter OC Administrator password: <enter Operations Console administrator password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_inqqjwar
Command API Client User Password ......................: p8nlbxIVrc5xOqUNsWmBJPDQBtkT0k
SSL Server Identity Certificate Private Key Password ..: M8d8BgPMr7shYNramlONcfFaGZ6zhC
SSL Server Identity Certificate Keystore File Password : dtWbhw7nBN0ZcR6HALWaRU5qvwXjc0
Root Certificate Private Key Password .................: o4xiE057EwAUMyZaJ3Mcp1vdhOEpQB
Root Certificate Keystore File Password ...............: zF0aNSs7RNDT7U9kfZY7c0aTl6N5BH
The "listkeys" action displays the key names to use when setting the values.
rsaadmin@am84:/opt/rsa/am/utils>
Make a note of the SSL Server Identity Certificate Keystore File Password
- At the command line navigate to /opt/rsa/am/server/security:
cd /opt/rsa/am/server/security
- Make a copy of the vh-inactive.jks file
cp vh-inactive.jks vh-inactive.jks.BAK
- Check whether the SSL Server Identity Certificate Keystore File Password from the local Authentication Manager primary instance can access the JKS file:
/opt/rsa/am/appserver/jdk/jre/bin/keytool –list -keystore /opt/rsa/am/server/security/vh-inactive.jks
You will be prompted to enter a keystore password This is the SSL Server Identity Certificate Keystore File Password obtained in step 4. The SSL Server Identity Certificate Keystore File Password is expected to fail with the following message:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
- Use the keytool command to change the password of the /opt/rsa/am/server/security/vh-inactive.jks file to match the local Authentication Manager primary instance SSL Server Identity Certificate Keystore File Password:
rsaadmin@am84:/opt/rsa/am/utils> /opt/rsa/am/appserver/jdk/jre/bin/keytool -storepasswd -storepass zF0aNSs7RghdHALW3b7aRU5qvwXjc0 -new dtWbhw7nBN0ZcR6HALWaRU5qvwXjc0 -keystore /opt/rsa/am/server/security/vh-inactive.jks
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -destkeystore /opt/rsa/am/server/security/vh-inactive.jks -deststoretype pkcs12".
rsaadmin@am84:/opt/rsa/am/utils>
- Check the accessibility of the JKS file works with the local Authentication Manager primary instance SSL Server Identity Certificate Keystore File Password:
/opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
Add the -v parameter for verbose output (e. g., /opt/rsa/am/appserver/jdk/jre/bin/keytool -list –v -keystore /opt/rsa/am/server/security/vh-inactive.jks):
The output without verbose will be as follows:
rsaadmin@am84:/opt/rsa/am/utils> /opt/rsa/am/appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/vh-inactive.jks
Enter keystore password: <enter keystore password>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
virtualhost-signing-ca, Feb 1, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
virtualhost, Feb 1, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 61:85:0D:64:36:E0:85:EB:79:21:79:E9:AA:B8:9C:9D:5C:09:63:5A
rsa-am-ca, Feb 23, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): DA:B3:69:E4:64:CF:68:E9:AC:B7:1B:6D:91:75:E5:83:4B:A3:3C:78
virtualhost-id-key, Feb 23, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 34:FC:0F:5B:22:10:DD:F8:69:8A:43:C9:21:80:59:AA:38:BD:26:B8
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -destkeystore /opt/rsa/am/server/security/vh-inactive.jks -deststoretype pkcs12".
rsaadmin@am84:/opt/rsa/am/utils>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
virtualhost-signing-ca, Feb 1, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 48:4F:9D:68:F9:1A:17:4B:33:12:3A:92:64:75:BB:E0:D9:72:ED:91
virtualhost, Feb 1, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 61:85:0D:64:36:E0:85:EB:79:21:79:E9:AA:B8:9C:9D:5C:09:63:5A
rsa-am-ca, Feb 23, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): DA:B3:69:E4:64:CF:68:E9:AC:B7:1B:6D:91:75:E5:83:4B:A3:3C:78
virtualhost-id-key, Feb 23, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 34:FC:0F:5B:22:10:DD:F8:69:8A:43:C9:21:80:59:AA:38:BD:26:B8
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/rsa/am/server/security/vh-inactive.jks -destkeystore /opt/rsa/am/server/security/vh-inactive.jks -deststoretype pkcs12".
rsaadmin@am84:/opt/rsa/am/utils>
- Check that you can access the virtual host certificate(s) from the Operation Console (Deployment Configuration > Certificates > Virtual Host Certificate Management). It would be expected that the virtual host certificate(s) are displayed.
- Disable Secure Shell access to the command line.
In this article
