Supported web browsers report messages when accessing either the Security Console or the Operations Console or the Self-Service Console.
Microsoft Internet Explorer reports "There is a problem with this website's security certificate."
Image description
Google Chrome reports "Your connection is not private."
Image description
Mozilla Firefox reports "Your connection is not secure"
Image description
The
Trusted Root Certification Authorities store of the Microsoft Windows workstation or server where the web browser is being used to access the Authentication Manager portals (Security Console, Operations Console and Self-Service Console) does not have the root CA certificate generated by the Authentication Manager instance during deployment.
Customers can replace the self-signed certificate created during the deployment of RSA Authentication Manager 8.1 software to remove the message presented in the web browser when accessing the Security Console, Operations Console or Self-Service Console. Instructions are provided in a section called Certificate Management for Secure Sockets Layer found in the RSA Authentication Manager 8.1 Administrator’s Guide (revision 1).
Alternatively, an administrator can add the Authentication Manager root CA certificate to the Trusted Root Certification Authorities store to avoid the web browser reporting the message.
Steps
- Access either the Operations Console or Security Console with a web browser (Google Chrome is used for this example).
- Click the padlock with the small red cross.
Image description
- The administrator is presented with the option to view the certificate:
Image description
- Click the Certificate information link.
- The server certificate is displayed.
Image description
- Click the Certificate Path tab and select the RSA root CA certificate.
- Now click View Certificate.
Image description
- After viewing the RSA root CA certificate click the Details tab.
- Click the Copy to File… button to save the certificate to a file.
Image description
Image description
- Click Next >.
Image description
- Select a format you want to use and click Next > button (we left the default in the example below).
Image description
- Enter a filename and click Next >.
Image description
- Click Finish.
Image description
- In Windows Explorer double-click the C:\RSA_root_CA.cer and the RSA root CA certificate is displayed
Image description
- Clicking the Install Certificate… button will enable the trust of the Authentication Manager root CA certificate in the Trusted Root Certification Authorities store.
Alternative access to the Authentication Manager root CA certificate
RSA Authentication Manager 8.1 uses JKS files to store certificates in /opt/rsa/am/server/security.
Listing of the password protected JKS files in /opt/rsa/am/server/security directory:
rsaadmin@am81p:/opt/rsa/am/server/security> ls -l *.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4136 Dec 6 2013 biztier-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 3197 Dec 6 2013 caStore.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4153 Dec 6 2013 console-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 2912 Dec 6 2013 trust.jks
-rw-r--r-- 1 rsaadmin rsaadmin 7295 Dec 6 2013 webserver-identity.jks
-rw-r--r-- 1 rsaadmin rsaadmin 4152 Dec 6 2013 webserver-inactive.jks
rsaadmin@am81p:/opt/rsa/am/server/security>
The Authentication Manager root CA certificate is stored in the caStore.jks file.
- Listing the contents of the caStore.jks file would be done with the command:
/opt/rsa/am/appserver/jdk/bin/keytool -export -keystore /opt/rsa/am/server/security/caStore.jks
- Exporting rsa-am-ca from the caStore.jks is done with the command:
/opt/rsa/am/appserver/jdk/bin/keytool -export -alias rsa-am-ca -file rsa-am-ca.crt -keystore /opt/rsa/am/server/security/caStore.jks
NOTE: Viewing the contents or exporting data from caStore.jks will require the Root Certificate Keystore File Password found by running ./rsautil manage-secrets –a listall from /opt/rsa/am/utils.
- Use a secure FTP client where SSH access to the operating system has been enabled via the Operations Console to copy the rsa-am-ca.crt file from the Authentication Manager instance.
For more information, see Microsoft TechNet article on
Manage Trusted Root Certificates.