Symantec Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On :: Policy server :: AdminUI  External Admin Store CERT Management

  • 1.  Tech Tip : CA Single Sign-On :: Policy server :: AdminUI  External Admin Store CERT Management

    Broadcom Employee
    Posted Dec 04, 2015 09:43 AM

    ###### Tip Description

     

    When you set-up an External Admin Store with SSL enabled ,you are required to import the Root CA cert Through the Adminui .

    IF for any reason you would like to change the cert or delete it ,there is no option from the Adminui that allows you to do so .

     

    Below are the Steps on where to find the keystore file where these certs are getting stored and how to Manage it .

     

    ##### Provided Steps

     

    - From AdminUi under Administration --> Admin UI -->  Configure Administrative Authentication ,the root CA cert of the External Admin store can be upload it .

    - This cert will be stored within "trustStore.jks" keystore file that can be found under "\CA\siteminder\adminui\server\default\conf\"

    - To list the certs available within this keystore file ,you will need to use the keytool available with your java as follows

     

    1) From a command line ,navigate to your JDK home and to the following bin folder (\Java\jdk1.7.0_25\jre\bin)

    2) run the below command to list the certs

     

    keytool -list -v  -keystore "\CA\siteminder\adminui\server\default\conf\trustStore.jks" -storepass changeit

    NOTE --> the keystore file password is changeit by default

     

    3) your cert will be displayed as follows

     

    Keystore type: JKS

    Keystore provider: SUN

     

    Your keystore contains 1 entry

     

    Alias name: mysite

    Creation date: Dec 3, 2015

    Entry type: trustedCertEntry

    Owner: .......

    Issuer: ......

    Serial number: ......

    Valid from: Fri Jun 19 06:53:58 EDT 2015 until: Thu Jun 19 07:03:57 EDT 2025

    Certificate fingerprints:......

     

    - Now to delete the cert from you keystore file ,please follow the below steps

     

    1) From a command line ,navigate to your JDK home and to the following bin folder (\Java\jdk1.7.0_25\jre\bin)

    2) run the below command to list the certs

     

    keytool -delete -noprompt -alias <your_cert_alias>  -keystore "\CA\siteminder\adminui\server\default\conf\trustStore.jks" -storepass changeit

     

    NOTE --> the keystore file password is changeit by default

     

    3) Now run again the list cert (command provided above) to confirm the cert was deleted

    4) you will need to restart the Adminui after performing the delete operation

     

    For additional Detail on the keytool usage ,please refer to  https://docs.oracle.com/cd/E19879-01/821-0185/ablqz/index.html