Users are unable to authenticate to external Self-Service Portal (SSP) after RSA Authentication Manager Integration Service certificate change for RSA Authentication Manager Prime Kit
2 years ago
Originally Published: 2020-06-08
Article Number
000044613
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager, Authentication Manager Prime
Platform: Linux
Issue
After a certificate change for the RSA Authentication Manager Integration Service, users get an authentication failure when trying to log in to an external Self-Service Portal. The ssp_daily.log shows the following error: 
2020-06-09T00:06:37,363+0200,com.rsa.pso.selfservice.web.LoginActionBean,62,
ERROR,Exception: auth /com.rsa.pso.services.ServiceException: 
com.rsa.pso.services.ServiceException: 
org.springframework.web.client.ResourceAccessException: 
I/O error on GET request for "https://prime.testlab.com:8443/rsa-endpoints/endpoints":
sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target; 
nested exception is javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
Cause
The URL that displays in the error is the AMIS URL. The external SSP connects to AMIS over an SSL encrypted connection in order to perform user authentication. The new AMIS certificate is not in the external SSP truststore.jks, so SSP fails to validate the AMIS certificate. It then ends the connection, causing the authentication to fail. 
Resolution
Add the new AMIS server certificate to the root CA certificate to the external SSP truststore.jks.
  1. Log in to the external SSP server.
  2. Run the following command against the server FQDN and port reported in the error to retrieve the connection certificate:
# openssl s_client -connect prime.testlab.com:8443 -showcerts
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=EG/ST=EG/L=Cairo/O=RSA/OU=RSA/CN=prime.testlab.com
   i:/C=EG/ST=EG/L=Cairo/O=RSA/OU=RSA/CN=prime.testlab.com
-----BEGIN CERTIFICATE-----
MIIDZTCCAk2gAwIBAgIEc3QN9DANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJF
RzELMAkGA1UECBMCRUcxDjAMBgNVBAcTBUNhaXJvMQwwCgYDVQQKEwNSU0ExDDAK
BgNVBAsTA1JTQTEbMBkGA1UEAxMScHJpbWUuc2FiZXJsYWIuY29tMB4XDTE5MDQw
NTA4MzUxMVoXDTE5MDcwNDA4MzUxMVowYzELMAkGA1UEBhMCRUcxCzAJBgNVBAgT
AkVHMQ4wDAYDVQQHEwVDYWlybzEMMAoGA1UEChMDUlNBMQwwCgYDVQQLEwNSU0Ex
GzAZBgNVBAMTEnByaW1lLnNhYmVybGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJ9wm2Qo9lsQ4CCu5pb9OJZjgCEQztmmjs80mMjPD8boVrZ5
GQOVQNjBIqXCGTUHi/SfCzDkCU7P71zn70/iZm1EbxelnuFJxaulVilsabQRjwXq
jNdMDntKpKmZaYI5nPBh5IdDAbUCpZaYt2Lj4RT8ABPeTrDoHmz2tTPBnc93olHl
eZCU2KqFtLouVT7QSxOdp/rduNwApOoYEH/Gk/LF5olFSRXke2y/QmOnjDNEsC3/
6KtmvFDVa/028xrT0MJoLNF8rAFGPWd7m9V0nVWZ4I2uCWdQc5KCwoIA9QTNxoFG
pvG0bxAz/WPHfIUav2tmM7O/xluWYttt8AUPhh8CAwEAAaMhMB8wHQYDVR0OBBYE
FMBZNx5egr02A7sHMHjzqoXjoVZ1MA0GCSqGSIb3DQEBCwUAA4IBAQCADyU+BKvL
Clbg0Ht9EZ1W7wFBdV1Hw/JDyi+ZHHYdd8ZQZJcxLEoeVl2N/jbRgTh5DLQnsqu8
kAWmrE/vEroSSwRUykOv4sarMfqvkmTUB1PRDHRbEWA+1cjjt5cwMWsP48OgUUSm
ykFV7xxuc32i8M93+VuL03tK2/iRStBvtNHIU1hgmFIg3f8XBQO9fh41Z3CbK0yq
A+Ts5EsxLNutV+RW3EWZq6jP1+FUcJre6Tgzbb4QVJrtlYg4UDWeXHae/4nQihH0
IjPiyFdwBeXje6rF6yUNOc1WAWL4LgOnfn/iXQD0Jegj60YE2JPQFNVviXLutCY0
mJt4E6qu/qer
-----END CERTIFICATE-----
---
Server certificate
subject=/C=EG/ST=EG/L=Cairo/O=RSA/OU=RSA/CN=prime.testlab.com
issuer=/C=EG/ST=EG/L=Cairo/O=RSA/OU=RSA/CN=prime.testlab.com
---
  1. Create a new certificate file:
touch /tmp/amis.cer
  1. Open the new /tmp/amis.cer in a text editor and copy any certificate of the chain into that file:
-----BEGIN CERTIFICATE-----
MIIDZTCCAk2gAwIBAgIEc3QN9DANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJF
RzELMAkGA1UECBMCRUcxDjAMBgNVBAcTBUNhaXJvMQwwCgYDVQQKEwNSU0ExDDAK
BgNVBAsTA1JTQTEbMBkGA1UEAxMScHJpbWUuc2FiZXJsYWIuY29tMB4XDTE5MDQw
NTA4MzUxMVoXDTE5MDcwNDA4MzUxMVowYzELMAkGA1UEBhMCRUcxCzAJBgNVBAgT
AkVHMQ4wDAYDVQQHEwVDYWlybzEMMAoGA1UEChMDUlNBMQwwCgYDVQQLEwNSU0Ex
GzAZBgNVBAMTEnByaW1lLnNhYmVybGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJ9wm2Qo9lsQ4CCu5pb9OJZjgCEQztmmjs80mMjPD8boVrZ5
GQOVQNjBIqXCGTUHi/SfCzDkCU7P71zn70/iZm1EbxelnuFJxaulVilsabQRjwXq
jNdMDntKpKmZaYI5nPBh5IdDAbUCpZaYt2Lj4RT8ABPeTrDoHmz2tTPBnc93olHl
eZCU2KqFtLouVT7QSxOdp/rduNwApOoYEH/Gk/LF5olFSRXke2y/QmOnjDNEsC3/
6KtmvFDVa/028xrT0MJoLNF8rAFGPWd7m9V0nVWZ4I2uCWdQc5KCwoIA9QTNxoFG
pvG0bxAz/WPHfIUav2tmM7O/xluWYttt8AUPhh8CAwEAAaMhMB8wHQYDVR0OBBYE
FMBZNx5egr02A7sHMHjzqoXjoVZ1MA0GCSqGSIb3DQEBCwUAA4IBAQCADyU+BKvL
Clbg0Ht9EZ1W7wFBdV1Hw/JDyi+ZHHYdd8ZQZJcxLEoeVl2N/jbRgTh5DLQnsqu8
kAWmrE/vEroSSwRUykOv4sarMfqvkmTUB1PRDHRbEWA+1cjjt5cwMWsP48OgUUSm
ykFV7xxuc32i8M93+VuL03tK2/iRStBvtNHIU1hgmFIg3f8XBQO9fh41Z3CbK0yq
A+Ts5EsxLNutV+RW3EWZq6jP1+FUcJre6Tgzbb4QVJrtlYg4UDWeXHae/4nQihH0
IjPiyFdwBeXje6rF6yUNOc1WAWL4LgOnfn/iXQD0Jegj60YE2JPQFNVviXLutCY0
mJt4E6qu/qer
-----END CERTIFICATE-----
  1. Import the certificate into the truststore.jks. Enter the file password when prompted.
/opt/rsa/primekit/java/latest/bin/keytool -import -alias amis \
-file /tmp/amis.cer -keystore /opt/rsa/primekit/certificates/truststore.jks
Enter keystore password: <Enter keystore password>
  1. When prompted to trust the certificate, type yes and press Enter.
Trust this certificate? [no]:  yes
Certificate was added to keystore
  1. Restart the external SSP service:
service tomcat-ssp restart
Notes
  • The RSA Authentication Manager Prime Kit installation directory will differ from one environment to the other. The administrator should be aware of the installation directory. However, the subdirectories and file names will not change. 
  • Restarting the service steps will differ from one environment to the other. The administrator should know how to restart a certain service in their environment.

Related Articles

Trending Articles

Don't see what you're looking for?