RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 and later
Quick Setup generates internal SHA-256 certificates by default for communication between RSA Authentication Manager 8.2 components, such as primary and replica instances and the web tier.
The SHA-256 digital certificates uses the “SHA256withRSA” digital signature algorithm. If an AM server was originally deployed before AM 8.2, the upgrade to RSA Authentication Manager 8.2 does not update the internal SHA-1 certificates used by earlier versions of Authentication Manager.
If your organization has policies that require you to use SHA-256 certificates for all network connections, you can run a command-line utility that upgrades the internal certificates to SHA-256.
To upgrade the certificates, you must run the utility on the primary instance and each replica instance.
If your deployment includes a web tier, you must re-install the web tier and re-enable the virtual host.
You must generate and distribute new configuration files to any IPv4/IPv6 authentication agents or custom agents that were created with the RSA Authentication Agent API 8.5 or later for C or the RSA Authentication Agent API 8.5 or later for Java.
You might also need to add the new certificates to the list of trusted CAs for your web browser and to any Authentication Manager administrative SDK connections, including the connections from AM Prime (aka AMIS) to AM.
• You must be an Operations Console Administrator.
• Obtain the rsaadmin operating system password for the primary instance and each replica instance.
• Secure shell (SSH) must be enabled on every appliance in your deployment.
Procedure:
1. Launch the SSH client, and connect to the primary instance using the IP address or fully qualified hostname.
2. When prompted, type the operating system User ID, rsaadmin, and press ENTER.
3. When prompted, type the password for the rsaadmin operating system account, and press ENTER.
4. Change directories to /opt/rsa/am/utils. Type:
cd /opt/rsa/am/utils/
and press ENTER.
5. Run manage-ssl-cert to upgrade the certificates to SHA-256. Type:
./rsautil manage-ssl-cert --regen-internal-ca
6. When prompted, enter your Operations Console administrator User ID, and press ENTER.
7. When prompted, enter your Operations Console administrator password, and press ENTER.
When the internal certificates have been upgraded to SHA-256, the following message appears:
Created backup of current keystores at:
/opt/rsa/am/server/security/JKS_BACKUP_number
Customer-provided SSL certificates were retained.
Created primary keystore ZIP: primary-keystores.zip Command completed successfully.
where number is a uniquely generated value
8. Copy the primary-keystores.zip file to the /opt/rsa/am/utils directory on each replica instance in your deployment. For example, use Secure FTP.
9. Restart the primary instance for the changes to take effect. Do the following:
a. Change the directory. Type cd /opt/rsa/am/server and press ENTER.
b. Type ./rsaserv restart all and press ENTER.
10. On the primary instance, close the SSH client. Type exit and press ENTER.
11. You must now upgrade the certificates on each replica instance. Launch the SSH client, and connect to the replica instance using the IP address or fully qualified hostname.
12. When prompted, type the operating system User ID, rsaadmin, and press ENTER.
13. When prompted, type the password for the rsaadmin operating system account, and press ENTER.
14. Change directories to /opt/rsa/am/utils. Type:
cd /opt/rsa/am/utils/
and press ENTER.
15. Run manage-ssl-cert to upgrade the certificates to SHA-256. On a replica instance this command uses the --keystore option to pass the name of the primary-keystores.zip file. Type:
./rsautil manage-ssl-cert --regen-internal-ca --keystore-zip primary-keystores.zip
16. When prompted, enter your Operations Console administrator User ID, and press ENTER.
17. When prompted, enter your Operations Console administrator password, and press ENTER.
When the internal certificates have been upgraded to SHA-256, the following message appears:
Created backup of current keystores at:
/opt/rsa/am/server/security/JKS_BACKUP_number
Command completed successfully.
where number is a uniquely generated value.
18. Restart the replica instance for the changes to take effect. Do the following:
a. Change the directory. Type cd /opt/rsa/am/server and press ENTER.
b. Type ./rsaserv restart all and press ENTER.
19. On the replica instance, close the SSH client. Type exit and press ENTER.
20. Repeat step 11 through step 19 for each replica instance.
see documentation including
TLS12UpdateGuide.pdf
Related Articles
Applying patch or upgrade fails after hardening RSA Authentication Manager appliance Number of Views AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0_241) / 1.7u251 (1.7.0_… Number of Views RSA Authentication Manager 8.8 upgrade fails with ERROR: auth_manager.rest_service.old_access_key is not found Number of Views Upgrade Internal Authentication Manager Certificates to SHA-256 Number of Views RSA Authentication Manager Upgrade Process Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA Release Notes: Cloud Access Service and RSA Authenticators RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor…
