Symantec Access Management

 View Only
  • 1.  Federation SP Cert Renewal on IDP

    Broadcom Employee
    Posted Feb 28, 2016 12:32 PM

    Hi,

     

    SP cert which has been configured for verification and encryption on IDP partnership is going to expire soon.

     

    I thought of just renaming the alias of new certificate to the old name would suffice this requirement, however I am running into issue with this approach. This is what I tried:

     

    I am able to rename the cert alias using smkeytool utility  -  rename the old cert alias to some dummy name and give the old cert alias name to the new cert - This has updated the cert properly and I am able to see the same(old) cert alias in all the partnerships.

     

    However I am still able to see in the SAML response that attribute encryption is signed with the old cert still. I did try restarting SPS and Policy server, but still no luck.

     

    Any suggestions ?

     

    Thanks

    Ashok



  • 2.  Re: Federation SP Cert Renewal on IDP

    Posted Feb 29, 2016 12:23 PM

    Ashok, are you trying this in CA Secure Cloud?



  • 3.  Re: Federation SP Cert Renewal on IDP

    Broadcom Employee
    Posted Feb 29, 2016 12:38 PM

    Hi Oleg,

     

    yes, I am at it is secure cloud 1.52.

     

    Ashok



  • 4.  Re: Federation SP Cert Renewal on IDP

    Posted Mar 01, 2016 05:27 AM

    The certificates are stored in policy store with a unique ID. When the cert is used with Federation Partnership, the certificate's Xid is used to link the two objects together. Hence, manually changing the alias is not going to update the certificate that has been included with the Federation Partnership.

     

    Example:

     

    <Object class="CA.FED::Certificate" Xid="CA.FED::Certificate@090395dc-7096-4298-9acf-a26a018788c8" CreatedDateTime="2015-12-02T02:05:33" ModifiedDateTime="2015-12-20T23:50:51" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">

                <Property Name="CA.FED::Certificate.FIPSApproved">

                    <BooleanValue>true</BooleanValue>

                </Property>

                <Property Name="CA.FED::Certificate.Type">

                    <NumberValue>2</NumberValue>

                </Property>

                <Property Name="CA.FED::Certificate.SerialNumber">

                    <StringValue>6173ca55000000000003</StringValue>

                </Property>

                <Property Name="CA.FED::Certificate.Alias">

                    <StringValue>saml2sign</StringValue>

                </Property>

                <Property Name="CA.FED::Certificate.IssuerDN">

                    <StringValue>CN=KellyRoot,DC=kelly,DC=lab</StringValue>

                </Property>

                <Property Name="CA.FED::Certificate.CertificateGUID">

                    <LinkValue>

                        <XID>CA.CDS::Certificate@c28eb650-1b20-4a9d-8008-03ca353598c4</XID>

                    </LinkValue>

                </Property>

            </Object><!-- Xid="CA.FED::Certificate@090395dc-7096-4298-9acf-a26a018788c8" -->

     

    <Object class="CA.FED::PartnershipBase" Xid="CA.FED::PartnershipBase@7412f90b-0b88-4dc4-bb3b-bcff177f41f4" CreatedDateTime="2015-07-29T02:16:27" ModifiedDateTime="2015-12-02T02:43:29" UpdatedBy="PRODUCT: CA.FED LIBRARY: FedObjects" UpdateMethod="Internal" ExportType="Replace">

    .......

                <Property Name="CA.FED::PartnershipBase.SigningCertLink">

                    <LinkValue>

                        <XID>CA.FED::Certificate@090395dc-7096-4298-9acf-a26a018788c8</XID>

                    </LinkValue>

                </Property>

    ........

    </Object><!-- Xid="CA.FED::PartnershipBase@7412f90b-0b88-4dc4-bb3b-bcff177f41f4" -->

     

    I'm not sure bout CloudMinder, but you can do a policy export and check the references.

     

    Also, with Single Sign-On Policy u, we have the option to update the existing certificate via Administrative UI.



  • 5.  Re: Federation SP Cert Renewal on IDP

    Broadcom Employee
    Posted Mar 01, 2016 11:01 AM

    This applies to Secure Cloud/CloudMinder as well, in that references in partnerships are through Xids, so renaming the alias will not work. Please either update partnerships to use the new certificate, or update the existing certificate in Secure Cloud CSP Console in the Action drop-down rather than importing a new cert.



  • 6.  Re: Federation SP Cert Renewal on IDP
    Best Answer

    Broadcom Employee
    Posted Mar 07, 2016 10:21 AM

    Thank You OLEG, Sau and Richard for your responses.

     

    I have successfully renewed the SP cert on IDP and below are the steps which I followed:

     

    Attempt :1 using AdminUI - Failed

    1. I tried to use the "update cert" option on admin UI, but failed.

     

    I got the below error due to the public key mismatch.

    "The public key of the new certificate does not match the public key for the existing entry under so and so alias..."

     

    Attempt:2 using Smkeytool - Success

     

    1. Imported the renewed cert using adminui with some dummy name - currentcertrenewed

    2. rename the current cert which is going to expire to some new name

         ./smkeytool.sh -renameAlias -alias currentcert -newalias currentcertexpired

     

    3. rename the renewed cert (currentcertrenewed) to current cert name

         ./smkeytool.sh -renameAlias -alias currentcertrenewed -newalias currentcert

    4. Flush SM Cache

     

    It worked.

     

    Regards

    Ashok



  • 7.  Re: Federation SP Cert Renewal on IDP

    Posted Jan 12, 2017 02:22 PM

    When you did this you didn't have to go touch every single partnership? We just tried this in our environment and even though viewing the partnership seemed to show the change - ALL partnerships were 'down' until we deactivated and reactivated them.

     

    That's a pretty big impact if we can't seamlessly upgrade the certs for hundreds of SAML partners O_o...



  • 8.  Re: Federation SP Cert Renewal on IDP

    Broadcom Employee
    Posted Jan 12, 2017 07:41 PM

    Yes, we did not touch every partnership, it worked for us using the above approach which mentioned. 

     

    Did you try flushing the cache ? if you did, then try running XPSSweeper command and also restarting Policy server ?



  • 9.  Re: Federation SP Cert Renewal on IDP

    Posted Jan 12, 2017 08:04 PM

    Hey Ashok,

     

    What was the certificate being used for ?

    - Signing 

    - Encryption 

     

    I guess your procedure will work only if the cert is being used for Signing.

     

    Regards,

    Ujwol



  • 10.  Re: Federation SP Cert Renewal on IDP

    Posted Jan 13, 2017 09:44 AM

    Flushed cache, restarted all Policy Servers...only thing we didn't do manually was run XPSSweeper. But it's set to run regularly already.

     

    Basically all the partnerships were still trying to use the old cert it seems like. The Policy Server was tossing up an error showing it couldn't get the certificate.

     

     

    [6548/4120][Thu Jan 12 2017 13:01:50][AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.SAML2Security.DSigException: Error in DSigSigner - Can't get certificate associated with the alias: myalias
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:297)
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:237)

     

     

    Only way it seemed to take the new cert was to deactivate, modify, add back user directories (due to product bug) and filters, submit change, reactivate. That'll be a pretty big deal if we have to do that in PROD...I suppose if it's the XID that changed, could possibly script it to run through and modify everything???

     

    **Edit**

    Well, I think I was confused. You guys were updating the SP certificate at the IDP?...we were trying to update the IDP signing certificate.

     

    Anyhoo, just tested again, this time flushing cache, then manually running XPSSweeper, and restarting PS. Same results, 500 Internal Server Error.

     

    If I look in XPSExplorer, what appears, to me at least, to be the cert link is the same between a working (one that was modified and re-enabled) versus a non-working (not touched/modified). 

     

    Working 

    CA.FED::Certificate@ff655d30-d8bd-42ab-a542-2445f92d7782

    CertificateGUID                 = CA.CDS::Certificate@b6cf3b60-6f5b-4d3c-8b41-1ec66ed7c7dd

     

    Not Working

    CA.FED::Certificate@ff655d30-d8bd-42ab-a542-2445f92d7782

    CertificateGUID                 = CA.CDS::Certificate@b6cf3b60-6f5b-4d3c-8b41-1ec66ed7c7dd