RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager 
RSA Version/Condition: 8.x

After installing new console certificates on the Authentication Manager server, the server hangs when rebooting.  Running ./rsaserv status all shows only the RSA Database Server is running.  All other services fail to start.

The following errors show in /opt/rsa/am/server/logs/AdminServer.log:

####<Jul 7, 2020 10:23:40 AM EDT> <Notice> <WebLogicServer> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020591> 
<BEA-000365> <Server state changed to FAILED.>
####<Jul 7, 2020 10:23:40 AM EDT> <Error> <WebLogicServer> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020591> 
<BEA-000383> <A critical service failed. The server will shut itself down.>
####<Jul 7, 2020 10:23:40 AM EDT> <Notice> <WebLogicServer> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020595> 
<BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN.>
####<Jul 7, 2020 10:23:40 AM EDT> <Info> <JMX> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020609> <BEA-149513> 
<JMX Connector Server stopped at service:jmx:iiop://10.46.30.77:7006/jndi/weblogic.management.mbeanservers.domainruntime.>
####<Jul 7, 2020 10:23:40 AM EDT> <Info> <JMX> <eegorsa03> <AdminServer> <WrapperSimpleAppMain> <<WLS Kernel>> <> <> <1404743020609> <BEA-149513> 
<JMX Connector Server stopped at service:jmx:iiop://10.46.30.77:7006/jndi/weblogic.management.mbeanservers.edit.>
Caused by: weblogic.management.configuration.ConfigurationException: Identity certificate has expired:

The RSA self-signed certificates that come with Authentication Manager 8.x by default have been replaced by other certificates which have, in turn, expired.

To revert back to the RSA self-signed certificates, 

1. SSH to the Authentication Manager server and run the following command: 

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS user password>
Last login: Wed Jul 15 17:21:28 201 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am87p:~> cd /opt/rsa/am/utils
rsaadmin@am87p:/opt/rsa/am/utils> ./rsautil reset-server-cert
Please enter OC Administrator username:  <enter Operations Console admin user name>
Please enter OC Administrator password: <enter the password for the Operations Console user>

2. After the certificate is replaced, restart the Authentication Manager services:

rsaadmin@am87p:/opt/rsa/am/utils> cd ../server
rsaadmin@am87p:/opt/rsa/am/server> ./rsaserv restart all

3. Repeat steps 1 and 2 on all severs.
4. After reverting back to the RSA self-signed certs, be sure to import the self-signed certs to the trusted root authority. Missing this step will cause authentication to fail.

• For RSA Authentication Manager Security Console (Self-Signed Root CA):

1. 1. Export the Self-Signed Root CA Certificate:
      1. Open your browser and navigate to the RSA Authentication Manager Security Console (e.g., https://:7004/console-ims).
      2. Click the Not Secure area in the browser’s address bar.
      3. View the certificate details and locate the RSA self-signed Root CA certificate.
      4. Export the certificate as a .cer or .crt file (Base-64 encoded is recommended).

   2. Import the Certificate to Trusted Root Authorities:

      1. On your system, launch the Certificate Manager (certmgr.msc).
      2. Go to Trusted Root Certification Authorities.
      3. Right-click, select All Tasks > Import, and follow the wizard to import the .cer or .crt file you exported.
      4. Complete the wizard to add the certificate to the trusted root store.

      For domain-wide trust, use Group Policy (secpol.msc) to distribute the certificate to all systems as a trusted root CA.

• For RSA RADIUS Servers (DER Format):

1. 1. Log in to the Operations Console on the Authentication Manager primary instance.
   2. Go to Deployment Configuration > RADIUS Servers.
   3. Select the RADIUS server and click Manage EAP Certificates.
   4. In the Trusted Root Certificates tab, click Browse to select your self-signed certificate (must be in DER format, with a .der extension).
   5. Click Add to add the certificate to the server.
   6. Click Done when finished.

Trusted root certificates added on the primary instance are replicated to all RSA RADIUS servers in the deployment.

A user's browser might block displaying pages for the Security Console and/or Operations Console, so try different browsers or using  private browsing. If both are not possible, test access with a curl command: 

curl -k http://<rsa am server host>:7072/operations-console

Output may be similar to what is shown below: 

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://<am88_server_net>:7072/operations-console/Index.jsp">https://<am88_server_net>:7072/operations-console/Index.jsp</a>.</p> </body></html>