SecurID Access Prime: Replacing SAML Response Certificate of a SAML Identity Provider integrated with the Self-Service Portal
3 years ago
Article Number
000067867
Applies To
RSA Product Set:  SecurID Access
RSA Product/Service Type:  SecurID Access Prime
Issue
A SAML identity provider is integrated with SecurID Access Prime and is used to access the Prime Self-Service Portal (SSP). The identity provider is configured to sign the SAML Responses sent to Prime, and the certificate used to validate the SAML Response's signature was changed on the identity provider. Prime needs to be updated with this new certificate so that it is able to validate SAML Responses from the identity provider.
Resolution
  • Obtain the new certificate used to validate the SAML Responses from the identity provider.
  • For each Prime server for which the SAML identity provider is used to access the Self-Service Portal on, do the following:
    1. Copy the new certificate to the Prime server's /tmp directory.
    2. Log into the Prime server as the primekit user.
    3. Navigate to the /opt/rsa/primekit/configs/amis directory.
      • Linux: cd /opt/rsa/primekit/configs/amis
    4. Make a backup copy of the authconfig.xml file in this directory.
      • Linux: cp authconfig.xml authconfig.xml.backup
    5. Edit the authconfig.xml file.
      • Linux: vi authconfig.xml
    6. In the authconfig.xml file, look for the section of text between the <saml> and </saml> tags. This should contain the configuration of the SAML identity provider integrated with Prime. To double check, verify that the URL between the <idpURL> and </idpURL> tags refers to the identity provider from which the new SAML Response certificate was obtained.
    7. Within the <saml> and </saml> tags, note the values between the following tags:
      • <samlJavaKeyStore> and </samlJavaKeyStore> (contains the path to the java keystore that holds the old SAML Response certificate.)
      • <samlJavaKeyStorePassword> and </samlJavaKeyStorePassword> (contains the password for the above keystore.)
    8. Within the same <saml> and </saml> tags, modify the value between the <assertionSignatureValidationCertificateAlias> and </assertionSignatureValidationCertificateAlias> tags so that it is a new unique value. This new value will be used as an alias for the new SAML Response certificate when importing it into the keystore.
    9. Save the updated authconfig.xml file.
    10. Import the new SAML Response certificate into the <samlJavaKeyStore> using the new <assertionSignatureValidationCertificateAlias> value.
      • Linux: /opt/rsa/primekit/java/latest/bin/keytool -import -alias <assertionSignatureValidationCertificateAlias> -file /tmp/<new SAML Response certificate> -keystore <samlJavaKeyStore>
    11. Restart the AMIS service.
      • Linux: service tomcat-amis restart
    12. Restart the SSP service.
      • Linux: service tomcat-ssp restart
    13. Test logging into the Prime SSP using the SAML identity provider.

Related Articles

Trending Articles

Don't see what you're looking for?