Hi Raju.
Perfect. Thanks for taking a look into this. Very much appreciated !
- The federated idp has not trusted certs configured.
- The certificate in scope is assigned to the fip-user.
- the same cert is stored in the gateways trusted store and flagged as a trust anchor.
- both certs (fipUser and TrustedCert) were updated at the same time(same JSON bundle)
As my initial thread question was based on observations from colleagues, I would need to do some re-tests on my own to provide further information and do some double checks.
Anyway, the main point for me, right now, is , that there is no principal issue with this scenario. Like, a gateway restart necessity.
Meaning: This scenario should work !
I will come back to you, as soon I have done further testing.
Thank you.
...Michael
Original Message:
Sent: Apr 30, 2024 07:46 AM
From: Raju Gurram
Subject: fipUser certificate update by graphman
@Michael Mueller I've tested with my local gateway and it seemed working for me. I will check with the exact test base as you mentioned. Meanwhile, could you please give me more details about your federated idp configuration.
- are you trusting the signers with the federated idp?
- incase if the user cert is self-signed, are you trusting it with the federated idp? For which, you need to consider modifying the federated idp as well.
Original Message:
Sent: Apr 26, 2024 04:41 AM
From: Michael Mueller
Subject: fipUser certificate update by graphman
Dear Team.
We just updated a certificate of a fipUser with graphman.
This cert is used to identify and authenticate this user against an incoming mtls client cert.
Unfortunately, the authentication did not work after the graphman import.
Then we updated the user cert manually through Policy Manager and the authentication was working again.
Comparing the graphman exported cert before and after the manual cert update, reveals only a change in the checksum.
Is that an expected behavior?
Will graphman be able to update a user certificate, without going through the Policy Manager?
Or do we need to do special activities during the import to make the new cert working seamlessly ?
Gateway v11.0
graphman-client V1.0.00
Thanks and kind regards
...Michael