RSA token certificate use
The Rivest Shamir Adleman (RSA) token uses certificates in a similar way that SSL uses them. However, the trust established for SSL and RSA are different, and RSA certificates should not use SSL certificates and vice versa. The SSL certificates can be used by pure clients, and when used for the RSA mechanism would allow the client to send an RSA token to the server. The RSA token authentication mechanism is purely for server-to-server requests and should not be used by pure clients. The way to prevent this is to control the certificates used by RSA in such as a way so they are never distributed to any clients. There is a different root certificate for RSA that prevents trust being established with clients who only need SSL certificates.
RSA root certificate
For each profile there is a root certificate stored in the rsatoken-root-key.p12 keystore. The sole purpose of this RSA root certificate is to sign the RSA personal certificate which is stored in the rsatoken-key.p12 keystore. The RSA root certificate has a default lifetime of 15 years. The signer from the RSA root certificate is shared with other processes to establish trust. The keytool utility is available using the QShell Interpreter. Using the keytool utility, we can list the contents of these keystores and display the keyEntry (personal certificate). The example below illustrated how this is accomplished for the rsatoken-root-key.p12 (RSA root certificate) and rsatoken-key.p12 (RSA personal certificate).
${profile_root}\config\cells\${cellname}\nodes\${nodename}> keytool -list -v -keystore rsatoken-root-key.p12 –storepass WebAS -storetype PKCS12Alias name: root Entry type: keyEntry Certificate[1]: Owner: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Issuer: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Serial number: 3474fccaf789d Valid from: 11/12/07 2:50 PM until: 11/7/27 2:50 PM Certificate fingerprints: MD5: 7E:E6:C7:E8:40:4E:9B:96:5A:66:E5:0B:37:0B:08:FD SHA1: 36:94:81:55:C4:48:83:27:89:C7:16:D2:AD:3D:3E:67:DF:1D:6E:87 ${profile_root}\config\cells\${cellname}\nodes\${nodename}> keytool -list -v -keystore rsatoken-key.p12 –storepass WebAS -storetype PKCS12
Alias name: default Entry type: keyEntry Certificate[1]: Owner: CN=9.41.62.64, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Issuer: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Serial number: 3475073488921 Valid from: 11/12/07 2:50 PM until: 11/11/08 2:50 PM Certificate fingerprints: MD5: FF:1C:42:E3:DA:FF:DC:A4:35:B2:33:30:D1:6E:E0:19 SHA1: A4:FB:9D:7B:A1:5B:6A:37:9F:20:BD:B2:BD:98:FA:68:71:57:28:62 Certificate[2]: Owner: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Issuer: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode 04, O=IBM, C=US Serial number: 3474fccaf789d Valid from: 11/12/07 2:50 PM until: 11/7/27 2:50 PM Certificate fingerprints: MD5: 7E:E6:C7:E8:40:4E:9B:96:5A:66:E5:0B:37:0B:08:FD SHA1: 36:94:81:55:C4:48:83:27:89:C7:16:D2:AD:3D:3E:67:DF:1D:6E:87
The purpose of the RSA personal certificate is to sign and encrypt information in the RSA token. The RSA personal certificate has a default lifetime of one year because it is used to sign and encrypt data that is transmitted over the wire. Refreshing the certificate is performed by the certificate expiration monitor, which is used for any other certificate in the system including SSL certificates.
RSA token trust is established when the rsatoken-trust.p12 of the target process contains the signer of the root certificate of the client process that sends a token. Inside the RSA token is the public certificate of the client, which must be validated at the target before being used to decrypt data. The validation of the client’s public certificate is performed using the CertPath APIs, which use the rsatoken-trust.p12 as the source of certificates used during the validation.
The following example shows the use of the keytool utility to list the rsatoken-trust.p12 keystore.
This trust store contains three trustedCertEntry (public certificate) entries. The root public certificate from the administrative agent, a root public certificate from a job manager to which it is registered, and a root public certificate from a base profile to which it is registered.
${profile_root}\config\cells\${cellname}\nodes\${nodename}> keytool -list -v -keystore rsatoken-trust.p12 –storepass WebAS -storetype PKCS12Alias name: root Entry type: trustedCertEntry
Owner: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Issuer: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60AACell04, OU=BIRKT60AANode04, O=IBM, C=US Serial number: 3474fccaf789d Valid from: 11/12/07 2:50 PM until: 11/7/27 2:50 PM Certificate fingerprints: MD5: 7E:E6:C7:E8:40:4E:9B:96:5A:66:E5:0B:37:0B:08:FD SHA1: 36:94:81:55:C4:48:83:27:89:C7:16:D2:AD:3D:3E:67:DF:1D:6E:87 ******************************************* Alias name: cn=9.41.62.64, ou=root certificate, ou=birkt60jobmgrcell02, ou=birkt 60jobmgr02, o=ibm, c=us Entry type: trustedCertEntry
Owner: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60JobMgrCell02, OU=BIRKT60JobMgr02, O=IBM, C=US Issuer: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60JobMgrCell02, OU=BIRKT60JobMgr02, O=IBM, C=US Serial number: 34cc4c5d71740 Valid from: 11/12/07 4:30 PM until: 11/7/27 4:30 PM Certificate fingerprints: MD5: AB:65:3A:04:5B:C7:6D:A8:B1:98:B9:7B:65:A8:FA:F8 SHA1: C0:83:FE:D0:B6:30:FB:A1:10:41:4B:8E:50:4B:78:40:0F:E5:E3:35 ******************************************* Alias name: birkt60node19_signer Entry type: trustedCertEntry
Owner: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60Node15Cell, OU=BIRKT60Node19, O=IBM, C=US Issuer: CN=9.41.62.64, OU=Root Certificate, OU=BIRKT60Node15Cell, OU=BIRKT60Node19, O=IBM, C=US Serial number: 34825d997fda3 Valid from: 11/12/07 3:06 PM until: 11/7/27 3:06 PM Certificate fingerprints: MD5: 66:61:CE:7C:C7:44:8B:A7:23:FF:1B:68:E4:AC:24:55 SHA1: 25:E0:6B:D9:60:BB:67:5B:C6:67:BD:02:2C:54:E3:DA:24:E5:31:A3 *******************************************
We can replace the RSA personal certificate in the rsa-key.p12 and the public key in the rsa-trust.p12 with our own personal certificate. If we do this prior to federation to an administrative agent or job manager, the exchange of certificates is done for you. If we change the certificate after federation, we need to make sure the rsa-trust.p12 on the administrative agent or job manager is updated with the signer for the new certificate to establish trust.
Related tasks
Set the RSA token authentication mechanism