Upgrading the RSA Authentication Agent for Windows certificates to SHA-256 for offline authentication and agent auto-registration
2 years ago
Originally Published: 2023-01-13
Article Number
000068060
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Microsoft Windows, Authentication Manager
RSA Version/Condition: 7.4.x, 8.6 or above 
Issue
Offline authentication and agent auto-registration use different certificates than the internal ones used by Authentication Manager; therefore, the solution in the article Upgrade Internal Authentication Manager Certificates to SHA-256 will not add any value. Ports 5580/TCP, and 5550/TCP use legacy files (sdti.cer, server.cer and server.key) that are available within the license files.

image.png
Resolution
Once the new license zip folder is available, follow the below steps to upgrade the certificates.

Prerequisites

  • If you do not have copies of your Authentication Manager license files, request them by opening a case with the Customer Asset Management (CAM) team. Select CAM when presented with the rsaadmin@primarycase types.
  • Take a backup of the Authentication Manager database though the Operations Console (Maintenance > Backup > Backup Now). It is also recommended to take snapshot, if this is a virtual server prior to the change.
 
  1. Unzip the contents of the license.zip.
  2. Using WinSCP or a similar SCP client, copy the files to /home/admin to the Authentication Manager primary server.
  3. Using PuTTY or a similar SSH client, connect to the Authentication Manager primary using the rsaadmin user name and operating system password..
  4. Navigate to /opt/rsa/am/utils and run the following command:
rsaadmin@primary:/opt.rsa.am> cd /opt/rsa/am/utils
rsaadmin@primary:/opt/rsa/am/utils> ./rsautil install-am-keystore -a <Ops Console administrator name> -w <Ops Console administrator password> -l ~/. -r
Server certificate, key and SDTI certificate are installed successfully.

For example: 
./rsautil install-am-keystore -a ocadmin -w support1! -l ~/. -r
Server certiicate, key and SDTI certificate are installed successfully.
  1.  Restart all Authentication Manager services: 
/opt/rsa/am/server/rsaserv restart all 
  1.  Once all services are running, the certificates are upgraded after the services restart.
  2. Log into the Security Console.
  3. Download the agent's new server.cer file from the Security Console (Access > Authentication Agents > Download Server Certificate File > Download Now).
  4. Verify that the new certificate is using SHA-256.
  5. Repeat steps 2 through 9 for all replicas.
Notes
  • Subsequent auto-registration attempts might fail due to the SHA-1 server.cer presence. To resolve this,
  1. Download the new server.cer file and copy it to C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility.
  2. Restart RSA Authentication Agent Auto-Registration from Windows Services on the Windows machine hosting the RSA Authentication Agent.

Related Articles

Trending Articles

Don't see what you're looking for?