AnsweredAssumed Answered

RSA Certificate

Question asked by Anis Azzabi on Dec 19, 2016
Latest reply on Jan 13, 2017 by Kevin Perkins

Like • Show 0 Likes0
Comment • 7

Hi all,

I'am facing an issue with RSA Via L&G certificate.

RSA is already configured with a certificate.

The customer delivered me a new certificate because the certification path has changed.

When I run this command

keytool -changealias -alias server -dest-alias server_old -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore

keytool -import -v -noprompt -trustcacerts -alias server-file MyCertificate.cer -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore

When I restart aveksa_service, the RSA Via L&G application is not reachable.

Any idea please.

Regards

Boris Lekumovich

Dec 19, 2016 5:51 PM

Correct Answer

See if this helps - Securing Via L&G with a customer-signed SSL Certificate

See the reply in context

No one else had this question

Outcomes

7 Replies

Diane Mccoy Dec 19, 2016 12:12 PM
Mark Correct
Correct Answer
Hi,
Did you import the root cert and any intermediate certs first?
Also I don't see a space between 'server and file' here: "-alias server-file MyCertificate.cer"
We don't use the 'changealias' command in our instructions.
Regards,
Diane
Like • Show 1 Like1
Actions
- Anis Azzabi @ Diane Mccoy on Dec 20, 2016 5:09 AM
  Mark Correct
  Correct Answer
  Hi,
  I deleted the old entry from aveksa.keystore
  And I run these commands :
  keytool -import -v -noprompt -trustcacerts -alias root -file ROOT-CA.cer -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
  keytool -import -v -noprompt -trustcacerts -alias server -file pprod-iag-synetisV2.cer -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
  When I run
  keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
  
  It shows me two entries one with the alias root and the other with the alias server
  I don't understand why I don't see Certificate [1] for my entry (pprod-iag-synetisV2.cer)
  
  Regards
  Like • Show 0 Likes0
  Actions
Boris Lekumovich Dec 19, 2016 5:51 PM
Unmark Correct
Correct Answer
See if this helps - Securing Via L&G with a customer-signed SSL Certificate
2 people found this helpful
Like • Show 0 Likes0
Actions
Vijayabaskar Balakrishnan Dec 20, 2016 2:16 AM
Mark Correct
Correct Answer
As Diane mentioned, You must import the intermediate certificate as well if the customer has any, root certificate alone will not be sufficient.

Follow the below steps and change the certificate file name according to yours:
1. cd /home/oracle/keystore
2. keytool -list -keystore ahgcert.pfx -storetype pkcs12
This is to list the pfx certificate details to get the alias and add it in step 5
3. keytool -import -v -trustcacerts -alias root -file Root.cer -keystore my.keystore -storepass Av3k5a15num83r0n3
4. keytool -import -v -trustcacerts -alias intermediate -file inter.cer -keystore my.keystore -storepass Av3k5a15num83r0n3
5. keytool -importkeystore -srckeystore ahgcert.pfx -srcstoretype pkcs12 -destkeystore my.keystore -deststoretype JKS -srcalias 4887e436d7d44b52b90bb3253a6f8d31 -destalias server -destkeypass Av3k5a15num83r0n3 -deststorepass Av3k5a15num83r0n3
6. keytool -list -keystore my.keystore -storepass Av3k5a15num83r0n3
7. cp -fp aveksa.keystore aveksa.keystore.ori
8. Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:
ls -l *.keystore
9. cp -pr my.keystore aveksa.keystore
10. acm restart
1 person found this helpful
Like • Show 2 Likes2
Actions
- Anis Azzabi @ Vijayabaskar Balakrishnan on Dec 20, 2016 11:10 AM
  Mark Correct
  Correct Answer
  I had successfully importer both web certificate and the root certificate and in the aveksa.keystore I got the certificate [1] and the certificate [2] but when I restart the service I can access to RSA Via L&G portal.
  
  For information the root certificate used now sha256, is that supported by RSA ?
  I didn't find any logs about that, any idea ?
  
  Regards
  Like • Show 0 Likes0
  Actions
  - Kevin Perkins @ Anis Azzabi on Jan 13, 2017 11:46 AM
    Mark Correct
    Correct Answer
    I believe my company is using SHA256 certificates in our environment without issue. Appendix A of the 7.0.1 installation guide says (when talking about upgrading from 5.5 or 6.x):
    Your existing server and client certificates are not affected if you have upgraded from an earlier product version, but RSA recommends that you migrate your server certificate and your AFX and remote agent certificates to SHA-256 after you have upgraded.
    Which implies that you can use SHA-256 certificates.
    
    By the way, please do not use the default keystore password, because some black-hat out there could very easily steal your keys that way. Edit: The installation guide states that the keystore password and the password used to protect the server certificate must be identical. See Appendix A > Managing the Keystore > Change the Default Aveksa Keystore Password.
    2 people found this helpful
    Like • Show 2 Likes2
    Actions
- Kevin Perkins @ Vijayabaskar Balakrishnan on Jan 13, 2017 12:03 PM
  Mark Correct
  Correct Answer
  I'm a bit confused. Looking at the installation guide (Appendix A) and based on what I've done, I've imported the root and intermediate certificates into the Java cacerts truststore ($JAVA_HOME/jre/lib/security/cacerts) and then imported our signed certificate into aveksa.keystore.
  
  The end result is that our aveksa.keystore contains one PrivateKeyEntry entry and $JAVA_HOME/jre/lib/security/cacerts contains three trustedCertEntry entries (entry type can be seen with -list -v). The certificate in aveksa.keystore has a certificate chain length of 4 (1 root, 2 intermedates, the signed certificate).
  Like • Show 0 Likes0
  Actions