Article Number
000038979
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager, Authentication Manager Prime
Platform: Linux
Issue
- When a user tries to authenticate to either HDAP or SSP, the authentication fails with the following message:
Authentication Failed
- Alternatively, the UI loops back to the login screen.
- The following error is in the am8.log:
2020-06-08T21:33:59,179+0200,com.rsa.ucm.am8,27,INFO ,[RESULT_STATUS]:
getContext completes in 64ms. Result: (false)
Message: org.springframework.remoting.RemoteAccessException :
Could not access HTTP invoker remote service at [/ims-ws/httpinvoker/CommandServer];
nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Cause
The RSA Authentication Manager Integration Server (AMIS) server does not trust the RSA Authentication Manager certificate. The connection between the RSA Authentication Manager Prime Kit server and RSA Authentication Manager fails, causing the authentication failure.
Resolution
To correct this issue, import the RSA Authentication Manager root certificate into the AMIS truststore.jks.
- Log in to the RSA Authentication Manager Prime server CLI.
- Run the following command to get the RSA Authentication Manager root certificate. Replace am84.testlab.com with your RSA Authentication Manager FQDN.
# openssl s_client -connect am84.testlab.com:7002 -showcerts
CONNECTED(00000003)
depth=1 CN = RSA root CA for am84.testlab.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=am84.testlab.com
i:/CN=RSA root CA for am84.testlab.com
-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIQd7RyY5YpUjNT6BcaLREYFjANBgkqhkiG9w0BAQsFADAs
MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN
MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFhbTg0LnNh
YmVybGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAItEiCH8
cm84nd9ak9zyLxJEjLndgPTzYBXSVmsSkO8mVRchNhg4QcoImj2Vb/oOcs3DAybC
/cnNOXgACiiA0l3hKjx6Yuno8zW36wI4PO3wsIp4BYgN16WLjECArJsZilYHRMBx
4LgXVLcCNRNDVclDoWu9Tzi2XdXug+Fr1hCK74amhzHj1hmRLKxc0dO1XKaaht3G
XC0kgg7Bn8zgx1EQ+0NSbJC9s8qC6pY2b3kasKAkkWx67z40zg744vZWs4cObn41
iG2WpxNGQkrrIZK+fAZ7W9tNdQFwA+PAUipmF05krh4NaJFcX/Zd9NEmHElsMHRi
BrvVCUJdmorWXQUCAwEAAaMuMCwwDAYDVR0TAQH/BAIwADAcBgNVHREEFTATghFh
bTg0LnNhYmVybGFiLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAjx3FxuGBQtpy1PY0
8zDK+swMQQZGrA0O7evx02hnJgialETxlH9nPA1aOlvOtds0YJNf0qrsX+auylxm
28b67e61bTzMqcJGXEnyDwVn4k1+sKi6L7q++bVaWOAFNtv3DlqcQG+oAviJsk2v
PRj1OqRdcP2nVvFosaWCI5KiK9fjI9FIzKDVWM62BGyOLzSlzJPPc/q9dvi5Tqwq
G4vrK82xyH0kPnOH/9edSVXypEhVRVONDPzjQ+Wm/UqQaQ6y/rny3KjUMQIqORjG
psh0kbkQMPiPP7HizJiUmlC83rIkEbMjSQgUtlEyEH9C06YVyVQwWs5tRuSLV3d0
ds2oTQ==
-----END CERTIFICATE-----
1 s:/CN=RSA root CA for am84.testlab.com
i:/CN=RSA root CA for am84.testlab.com
-----BEGIN CERTIFICATE-----
MIIDFjCCAf6gAwIBAgIQQG5GCR508OGVjrg3mG5FlDANBgkqhkiG9w0BAQsFADAs
MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN
MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFSU0Egcm9v
dCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCg0dOTxAdWKfDsViAZ5tQHmJ5mxdzwrkXFDfmqVbixIr6T1GM+
nah+rfTecjkbs4Q8+VnN341eTFdTkgD0CCBdemMm1abH2YviiyqV3qYXuVggDR/J
cuO66oVS2lZqbxfUaT4V/oTH2PqWFVz5XHHcLQycFgTgOuFPAzKZhb3B7HaRngGX
KNjHTbXkdKeRoxtjJC0Frj9liZaxZ3XcTH9aSB5+dWNn14W81Fxb+oao/wf8O0o9
kXIZ8rzkIvKO7Btr5yz8NpqpYjm/4s8j4TXUz5dm4aJU7RQCSyEG6QpxnYinte0k
DcWoCzyT3NSOYlMvm/t1rJFwH2c97gBcSBzjAgMBAAGjNDAyMBIGA1UdEwEB/wQI
MAYBAf8CAQEwHAYDVR0RBBUwE4IRYW04NC5zYWJlcmxhYi5jb20wDQYJKoZIhvcN
AQELBQADggEBAD5wsTkk9rEKFdp1NbLHdPjdhEn91BlMlj047Nq/5KvD85THWd73
MpM/V9Vfx3SR+t8vXmPRD1C5NlxaCR2Q9nscMX3xl337s1dVXN0BT11vzZiG3OAD
3b2yOCrGTL8NYggtgWzD9FVAnbiIqM7RduckpvpwzK2Y3weekBVAkelmWGoRuYtv
CF36UUghEKYd3a4vjIJmoLasDn/meW6IQB0RO1LTggRhBRRRcxt+e2dHWc+WnDr4
lX6ODLY7U2I5+4n1Vyq/42bvXVsAuijS90khbHAx9GTo1nqTQRmUri4X9bTjH8lF
e6ftQ6yfEn2Upms6uTPu66KBPED+7wZtsP4=
-----END CERTIFICATE-----
- Create a new certificate file:
touch /tmp/amrootCA.cer
- Open the new /tmp/amrootCA.cer in a text editor and copy the root CA certificate into that file:
-----BEGIN CERTIFICATE-----
MIIDFjCCAf6gAwIBAgIQQG5GCR508OGVjrg3mG5FlDANBgkqhkiG9w0BAQsFADAs
MSowKAYDVQQDDCFSU0Egcm9vdCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wHhcN
MTkwNTA5MTgzODUxWhcNMzcwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFSU0Egcm9v
dCBDQSBmb3IgYW04NC5zYWJlcmxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCg0dOTxAdWKfDsViAZ5tQHmJ5mxdzwrkXFDfmqVbixIr6T1GM+
nah+rfTecjkbs4Q8+VnN341eTFdTkgD0CCBdemMm1abH2YviiyqV3qYXuVggDR/J
cuO66oVS2lZqbxfUaT4V/oTH2PqWFVz5XHHcLQycFgTgOuFPAzKZhb3B7HaRngGX
KNjHTbXkdKeRoxtjJC0Frj9liZaxZ3XcTH9aSB5+dWNn14W81Fxb+oao/wf8O0o9
kXIZ8rzkIvKO7Btr5yz8NpqpYjm/4s8j4TXUz5dm4aJU7RQCSyEG6QpxnYinte0k
DcWoCzyT3NSOYlMvm/t1rJFwH2c97gBcSBzjAgMBAAGjNDAyMBIGA1UdEwEB/wQI
MAYBAf8CAQEwHAYDVR0RBBUwE4IRYW04NC5zYWJlcmxhYi5jb20wDQYJKoZIhvcN
AQELBQADggEBAD5wsTkk9rEKFdp1NbLHdPjdhEn91BlMlj047Nq/5KvD85THWd73
MpM/V9Vfx3SR+t8vXmPRD1C5NlxaCR2Q9nscMX3xl337s1dVXN0BT11vzZiG3OAD
3b2yOCrGTL8NYggtgWzD9FVAnbiIqM7RduckpvpwzK2Y3weekBVAkelmWGoRuYtv
CF36UUghEKYd3a4vjIJmoLasDn/meW6IQB0RO1LTggRhBRRRcxt+e2dHWc+WnDr4
lX6ODLY7U2I5+4n1Vyq/42bvXVsAuijS90khbHAx9GTo1nqTQRmUri4X9bTjH8lF
e6ftQ6yfEn2Upms6uTPu66KBPED+7wZtsP4=
-----END CERTIFICATE-----
- Check the AMIS setenv.sh file (by default it is in <Prime_installation_directory>/configs/amis/tomcat-amis/setenv.sh) to confirm the truststore.jks location and password:
#!/bin/sh
# AM PRIME VARIABLES =============================================================
# OPTIONAL TO UPDATE
TOMCAT_HTTPS_PORT=8443
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.file=$AMPRIMECWD/certificates/amis_keystore_new.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Dkeystore.pass='password'"
export CATALINA_OPTS="$CATALINA_OPTS -Dssl.alias=amis"
export CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStore=$AMPRIMECWD/certificates/truststore.jks"
export CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.trustStorePassword='password'"
#export CATALINA_OPTS="$CATALINA_OPTS -Dsyslog.server=logs.company.com"
...
- Import the certificate into the truststore.jks. Enter the file password when prompted. The installation directory might be different to each instance, but the file names are the same.
/opt/rsa/primekit/java/latest/bin/keytool -import -alias am8rootca \
-file /tmp/amrootCA.cer -keystore /opt/rsa/primekit/certificates/truststore.jks
Enter keystore password:
- When prompted whether to trust the certificate, type yes and press Enter.
Trust this certificate? [no]: yes
Certificate was added to keystore
- Restart the RSA Authentication Manager Prime Kit services:
service tomcat-amis restart
service tomcat-hdap restart
service tomcat-ssp restart
Notes
- The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change.
- Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.