Upgrade Internal Authentication Manager Certificates to SHA-256Upgrade Internal Authentication Manager Certificates to SHA-256

When you run Quick Setup to configure RSA Authentication Manager 8.2 or later, internal SHA-256 certificates are generated for communication between Authentication Manager components, such as primary and replica instances and the web tier. The SHA-256 digital certificates use the “SHA256withRSA” digital signature algorithm.

The upgrade to RSA Authentication Manager 8.2 does not update the internal SHA-1 certificates. If your organization has policies that require you to use SHA-256 certificates for all network connections, you can run a command-line utility that upgrades the internal certificates to SHA-256.

To upgrade the certificates, you must run the utility on the primary instance and each replica instance. If your deployment includes a web tier, you must re-install the web tier and re-enable the virtual host. You must generate and distribute new configuration files to any IPv4/IPv6 authentication agents or custom agents that were created with the RSA Authentication Agent API 8.5 or later for C or the RSA Authentication Agent API 8.5 or later for Java. You might also need to add the new certificates to the list of trusted CAs for your web browser and to any Authentication Manager administrative SDK connections.

Note: The internal certificates are only used by Authentication Manager components. Upgrading these certificates to SHA-256 is not required.

Before you begin

• You must be an Operations Console Administrator.

• Obtain the rsaadmin operating system password for the primary instance and each replica instance.

• Secure shell (SSH) must be enabled on every appliance in your deployment. For instructions, see Enable Secure Shell on the Appliance.

Procedure

1. Launch the SSH client, and connect to the primary instance using the IP address or fully qualified hostname.

2. When prompted, type the operating system User ID, rsaadmin, and press ENTER.

3. When prompted, type the password for the rsaadmin operating system account, and press ENTER.

4. Change directories to /opt/rsa/am/utils. Type:

   cd /opt/rsa/am/utils/

   and press ENTER.

5. Run manage-ssl-cert to upgrade the certificates to SHA-256. Type:

   ./rsautil manage-ssl-cert --regen-internal-ca

6. When prompted, enter your Operations Console administrator User ID, and press ENTER.

7. When prompted, enter your Operations Console administrator password, and press ENTER.

   Note: Although it is possible to enter the Operations Console administrator password on the command line, this creates a potential security vulnerability. RSA recommends that you enter passwords only when the utility presents a prompt.

   When the internal certificates have been upgraded to SHA-256, the message “Command completed successfully” appears.

8. Copy the primary-keystores.zip file to the /opt/rsa/am/utils directory on each replica instance in your deployment. For example, use Secure FTP.

9. Restart the primary instance for the changes to take effect. Do the following:

   1. Change the directory. Type cd /opt/rsa/am/server and press ENTER.

   2. Type ./rsaserv restart all and press ENTER.

10. On the primary instance, close the SSH client. Type exit and press ENTER.

11. You must now upgrade the certificates on each replica instance.

    Launch the SSH client, and connect to the replica instance using the IP address or fully qualified hostname.

12. When prompted, type the operating system User ID, rsaadmin, and press ENTER.

13. When prompted, type the password for the rsaadmin operating system account, and press ENTER.

14. Change directories to /opt/rsa/am/utils. Type:

    cd /opt/rsa/am/utils/

    and press ENTER.

15. Run manage-ssl-cert to upgrade the certificates to SHA-256. On a replica instance this command uses the --keystore option to pass the name of the primary-keystores.zip file. Type:

    ./rsautil manage-ssl-cert --regen-internal-ca --keystore-zip primary-keystores.zip

16. When prompted, enter your Operations Console administrator User ID, and press ENTER.

17. When prompted, enter your Operations Console administrator password, and press ENTER.

    When the internal certificates have been upgraded to SHA-256, the message “Command completed successfully” appears.

18. Restart the replica instance for the changes to take effect. Do the following:

    1. Change the directory. Type cd /opt/rsa/am/server and press ENTER.

    2. Type ./rsaserv restart all and press ENTER.

19. On the replica instance, close the SSH client. Type exit and press ENTER.

20. Repeat step 11 through step 19 for each replica instance.

After you finish

For any IPv4/IPv6 authentication agents or custom agents created with the RSA Authentication Agent API 8.5 or later for C or the RSA Authentication Agent API 8.5 or later for Java, you must do the following:

1. Generate an updated sdconf.rec configuration file, and copy it to each agent host. For more information, see Generate the Authentication Manager Configuration File.

2. On the agent host, clear the cache to remove data from memory. For example, see your browser documentation for a web-based agent.

For any administrative SDK connections, such as a custom application developed with the RSA Authentication Agent API, configure a new certificate into the trusted keystore on the client.

If two or more of your RSA Authentication Manager realms can have a trust relationship, which gives users on one realm permission to authenticate to another realm and access the resources on that realm, you must re-establish trust. For instructions, see Creating a Trust Relationship.

If your deployment includes a web tier, you must do the following:

• Uninstall the web tier. Uninstalling the web tier removes the web tier and all features and components of RSA Authentication Manager from the web-tier server. Uninstalling a web tier does not delete the web-tier deployment record.

  For instructions, see Uninstall a Web Tier on Linux and Uninstall a Web Tier on Windows.

• You must generate a new web tier deployment package. For instructions, see Generate a Web-Tier Deployment Package.

• Run the Web Tier Installer for your platform. For instructions, see “Installing the Web Tier” in the RSA Authentication Manager Setup and Configuration Guide.

• On the primary instance, disable and re-enable the virtual host. For instructions, see “Configure a Load Balancer and Virtual Host” in the RSA Authentication Manager Setup and Configuration Guide.

When you deploy Authentication Manager versions earlier than 8.2, a SHA-1 self-signed RSA root certificate is generated. If you added this SHA-1 root certificate to your trusted CA store, then you must replace the SHA-1 root certificate with the new SHA-256 root certificate.

The following tasks are optional:

• You can run the utility more than one time. Unique SHA-256 certificates are generated each time you run the utility.

• To list the available backups, run the utility with the --restore-keystore-backup option:

  ./rsautil manage-ssl-cert --restore-keystore-backup

• To restore the certificates that are contained in a specific backup file, run the utility with the --restore-keystore-backup option and the --keystore-directory option with the name of the backup file to be restored:

  ./rsautil manage-ssl-cert --restore-keystore-backup --keystore-directory JKS_BACKUP_number

  where number is the uniquely generated value for the backup.

  The utility removes the directory for the certificates that are restored. The current certificates are backed up into the /opt/rsa/am/server/security/JKS_BACKUP_number directory.

  Restore the certificates on the primary instance and each replica instance.