AnsweredAssumed Answered

How to remove the Certificate error in the IG & L landing page?

Question asked by Vijayabaskar Balakrishnan

on Sep 21, 2016
Latest reply on Feb 7, 2020 by Mostafa Helmy

Like • Show 0 Likes0
Comment • 9

Customer doesn't want to see the certificate error warning when they login into IG & L.

How to remove this warning which is there in the address bar all the time as enclosed in the screenshot.

Mostafa Helmy

Feb 7, 2020 4:46 AM

Correct Answer

This is now documented in KB article 000030130 - Replacing the server certificate used for the RSA Identity Governance & Lifecycle appliance web administration interface

See the reply in context

Attachments

CertificateError.PNG68.8 KB

No one else had this question

Outcomes

9 Replies

Edwin Mullie Sep 21, 2016 3:57 AM
Mark Correct
Correct Answer
The customer has to create / or request a certificate and install that conform the installation documentation (appendix A: Using a Signed Certificate for HTTP Access to RSA Via L&G)

regards

Edwin
Like • Show 0 Likes0
Actions
- Vijayabaskar Balakrishnan @ Edwin Mullie on Sep 21, 2016 4:07 AM
  Mark Correct
  Correct Answer
  I have one pfx file from customer to import in IG & L server. Still Should I follow the below steps:
  
  1. Generate a Server Certificate
  2. Generate a Certificate Signing Request
  3. Import a Trusted Certificate
  4. Import a Signed Server's Certificate into the RSA Via L&G Keystore
  Like • Show 0 Likes0
  Actions
  - Edwin Mullie @ Vijayabaskar Balakrishnan on Sep 21, 2016 4:11 AM
    Mark Correct
    Correct Answer
    the pfx should contain the private key for the certificate so you can start at the import part (3 and or 4)
    Like • Show 0 Likes0
    Actions
    - Vijayabaskar Balakrishnan @ Edwin Mullie on Sep 21, 2016 5:10 AM
      Mark Correct
      Correct Answer
      I tried with step 3:
      
      Copied the pfx file into the /etc/alternatives/jre_openjdk/lib/security.
      Gave a random alias name in the keytool import command. Getting the below errors.
      
      1. Error - Tried with certificate password
      2. Error - Tried with documentation password
      
      Like • Show 0 Likes0
      Actions
Sasha Browning Oct 7, 2016 7:19 PM
Mark Correct
Correct Answer
Certificate management is one of those things that if you make a single mistake, you're better off starting from scratch. If you follow the Installation Guide you'll be golden (in v 6.9, it's chapter 7 on page 48). I think this year I had to do it twice.

I had to install the Root, Intermediate, and signed Server cert (in that order) to the following directories:
- /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
- /etc/alternatives/jre_openjdk/lib/security
Finally, you'll perform and "acm restart".

A/N: I see that you're also using your IP instead of a shortname/friendly name in your URL, make sure you have a DNS record in place.
Attachments
- RSA_IMG_v6.9_Installation_Guide.pdf325.5 KB
Like • Show 1 Like1
Actions
- Vijayabaskar Balakrishnan @ Sasha Browning on Oct 9, 2016 9:35 PM
  Mark Correct
  Correct Answer
  You are right. I already done this for 3 times, but still no luck. I got the below steps from Support Team.
  
  here are the steps you need to go through:
  1. Go to the keystore directory:
  cd /home/oracle/keystore
  2. Import he root certificate in the new keystore "my.keystore". You will need to replace "root.pem" with the name of the root certificate.
  keytool -import -v -trustcacerts -alias root -file root.pem -keystore my.keystore
  3. If you have any intermediate certificates, you need to add them to the new keysotre as well. Please replace the "inter.pem" with the name of the intermediate certificate:
  keytool -import -v -trustcacerts -alias intermediate -file inter.pem -keystore my.keystore
  4. Now, you will need to import the pfx certificate.
  keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore my.keystore -deststoretype JKS -srcalias alias -destalias server
  Please replace the following keywords:
  - mypfxfile.pfx: your pfx certificate
  - alias: the alias we got from the output of the last command, in your case the alia is 4887e436d7d44b52b90bb3253a6f81
  5. Please send me a screenshot from this output before proceeding.
  keytool -list -v -keystore my.keystore
  6. cp -fp aveksa.keystore aveksa.keystore.ori
  7. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:
  ls -l *.keystore
  8. cp -pr my.keystore aveksa.keystore
  9. acm restart
  
  I successfully imported the certificate, but i was unable to access the application itself. I had to rollback immediately.
  
  Something went wrong, I'm not sure what it is.
  Like • Show 0 Likes0
  Actions
  - Ronald Roberts @ Vijayabaskar Balakrishnan on Nov 5, 2016 9:03 PM
    Mark Correct
    Correct Answer
    I have imported a PFX in the past, for SAS related project, and seen the guid appear as the certificate alias before with success. I manually changed the certificate alias in a separate step described below, but I believe the issue may be the certificate's private key password was not changed to the keystore's password, if the PFX file's password was different than the keystore password. The last command below can help you change it.
    
    RSA Via, by default, looks for a certificate with an alias of "server" The new keystore created in the steps above may not have any certificate with that alias. [The alias and keystore password RSA Via uses can be changed to non-default values in the $AVEKSA_WILDFLY_HOME/standalone/configuration/aveksa-standalone-full.xml and similar files in lines containing "keystore_path"]
    
    Use the following command to receive verbose output of the aveksa.keystore:
    cd /home/oracle/keystore;
    keytool -v -list -keystore aveksa.keystore;
    
    You should see the certificate imported from the PFX, under the alias with the guid. Under the alias with the guid, you should see "Entry type: PrivateKeyEntry" underneath. You will also see the intermediate certificate(s) listed as Certificate[2]... Certificate[3]. The last certificate will be the root certificate.
    
    Use the following command to rename the cert's alias to "server". Replace <originalalias> with the guid looking alias:
    keytool -changealias -alias <originalalias> -destalias server -keystore ./aveksa.keystore;
    In addition, the password protecting the private key may not have been changed, to the overall keystore password. Use this command to change the private key password to the same password used to protect the keystore. You will be prompted for the passwords:
    
    cd /home/oracle/keystore;
    keytool -keypasswd -alias server -keystore ./aveksa.keystore;
    If you import the PFX into a keystore with a "server" alias, you will need to rename the existing server certificate to another alias before renaming the newly imported certificate/key to "server."
    Like • Show 1 Like1
    Actions
    - Vijayabaskar Balakrishnan @ Ronald Roberts on Nov 6, 2016 5:54 AM
      Mark Correct
      Correct Answer
      Thanks Ronald for the input.
      
      I was able to import the certificates that were all needed. In fact, there is an additional certificate which we were required as an intermediate one.
      
      After importing it, It works like charm.
      
      Steps I went through are below:
      1. cd /home/oracle/keystore
      2. keytool -list -keystore ahgcert.pfx -storetype pkcs12
      This is to list the pfx certificate details to get the alias and add it in step 5
      3. keytool -import -v -trustcacerts -alias root -file Root.cer -keystore my.keystore -storepass Av3k5a15num83r0n3
      4. keytool -import -v -trustcacerts -alias intermediate -file inter.cer -keystore my.keystore -storepass Av3k5a15num83r0n3
      5. keytool -importkeystore -srckeystore ahgcert.pfx -srcstoretype pkcs12 -destkeystore my.keystore -deststoretype JKS -srcalias 4887e436d7d44b52b90bb3253a6f8d31 -destalias server -destkeypass Av3k5a15num83r0n3 -deststorepass Av3k5a15num83r0n3
      6. keytool -list -keystore my.keystore -storepass Av3k5a15num83r0n3
      7. cp -fp aveksa.keystore aveksa.keystore.ori
      8. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:
      ls -l *.keystore
      9. cp -pr my.keystore aveksa.keystore
      10. acm restart
      
      This is the clear step by step procedure, you can follow once you get the PFX file from customer.
      Like • Show 1 Like1
      Actions
Mostafa Helmy Feb 7, 2020 4:46 AM
Unmark Correct
Correct Answer
This is now documented in KB article 000030130 - Replacing the server certificate used for the RSA Identity Governance & Lifecycle appliance web administration interface
Like • Show 0 Likes0
Actions

How to remove the Certificate error in the IG & L landing page?

Attachments

Outcomes

Attachments

Related Content

Recommended Content