By default the Authentication Manager 8.1 SP1 self-signed console certificate can be replaced, but the Operations Console interface only requests certificates that use SHA-1, and does not accept SHA-256 or SHA-512. This occurs because only SHA1 certificates were tested and work with cross realm/trusted realm connections, as well as with all devices that import software tokens via CT-KIP.
If your deployment does not use trusted realm and all devices that import software tokens with CT-KIP can handle SHA-256, you may try this unsupported workaround to use a SHA-256 console certificate. Authentication Manager 8.2 may include this as a supported option.
- This solution will most likely break any cross realm or trusted realm connection to another Authentication Manager primary, and may break some CT-KIP delivery of software tokens to older devices that do not support SHA-256 certificates.
- Be sure to confirm that RADIUS authentication is working after importing the SHA-256 certificate.
Optionally, use Keytool to view these console certificates. Steps are as follows:
- SSH to the Authentication Manager 8.1 SP1 primary or replica on which you are replacing the certificate.
- Login with the rsaadmin operating system account.
- Navigate to /opt/rsa/am/utils.
- Obtain the SSL Server Identity Certificate Keystore File Password, with the command below. Enter the Operations Console administrator credentials, when prompted. The SSL Server Identity Certificate Keystore File Password for this server is in bold below.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Jan 25 14:54:39 2017 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a list com.rsa.signing.key
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
Secrets stored in ./etc/systemfields.properties.
Command API Client User ID ............................: CmdClient_6hbts4ws
Command API Client User Password ......................: AZxs8HRh3uxoyyE5do4wUoSTHkET9H
SSL Server Identity Certificate Private Key Password ..: iGegdeO9ev1XG0Y10gIzaAeiLaXY5g
SSL Server Identity Certificate Keystore File Password : MA8eMBMiDSWz6ApxEDLC2oeKWBhtZh
Root Certificate Private Key Password .................: fEJua8xHwn4eEJrRpX5Fpeab5vOTEc
Root Certificate Keystore File Password ...............: odXmoFy4f0vseDhQaD9ZddZYcQqkE2
The "listkeys" action displays the key names to use when setting the values.
- Using Keytool, view the certificates in the SSL Identity Certificate Keystore by alias using the command below. Enter the SSL Server Identity Certificate Keystore File Password when prompted.
rsaadmin@am81p:/opt/rsa/am/utils> ../appserver/jdk/jre/bin/keytool -list -keystore /opt/rsa/am/server/security/webserver-inactive.jks
Enter keystore password: <enter SSL Server Identity Certificate Keystore File Password captured above>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
vm1152015, Apr 9, 2015, PrivateKeyEntry,
Certificate fingerprint (MD5): AA:6E:3E:12:2D:52:18:0C:9E:F9:BD:93:4C:B9:F2:38
rsa am internal ca, Aug 28, 2014, trustedCertEntry,
Certificate fingerprint (MD5): B8:63:B7:79:1B:45:D4:30:07:5F:47:0D:BC:B3:94:E7
rsa am default server cert, Aug 28, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 16:0C:E8:DB:62:BE:83:53:CF:75:55:F1:02:E5:2E:57
- In the output above, the new alias for the pending CSR is vm1152015, which matches the Operations Console image in step 2 of Resolution.
Note that there are also -delete and -export options for this command, in addition to -list, so please be careful when typing.