Layer 7 Access Management

Tech Tip : CA Single Sign-On : Token Signing Certificate Expiry

  • 1.  Tech Tip : CA Single Sign-On : Token Signing Certificate Expiry

    Posted 06-07-2018 06:13 AM

    Question:


    We recently replaced an expired Certificate from the CDS, and we'd like to know how to do it without
    having a down time. We've observed recently that changing an expired certificate needed a downtime.

    How can we avoid a downtime ?


    Answer:

     

    At first glance, from Policy Server and AdminUI 12.6, you can add a
    "secondary certificate" in order to avoid downtime when the
    certificate needs to be replaced.

     

    Signature and Encryption Configuration for Federated Partnerships

    Select an alias from the certificate data store for the Verification
    Certificate Alias field. This field indicates which certificate
    verifies signed authentication requests or single logout requests or
    responses. If there is no certificate in the certificate data store,
    click Import to import one.

     

    (Optional) Select another alias from the certificate data store for
    the Secondary Verification Certificate Alias field.

    If verification of a signed authentication or logout request fails
    using the primary verification certificate alias, the IdP uses this
    secondary verification alias. If the certificate is not already in the
    certificate data store, click Import to import one. When secondary
    certificates are configured or updated for an active partnership, the
    run time automatically picks up the changes. You do not need to flush
    the cache manually from the UI for the changes to take effect.

     

    (Optional) Select another alias from the certificate data store for the Secondary Verification Certificate Alias field.

    https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/signature-and-encryption-configuration-for-federated-partnerships


    Additional Information:

     

    Further reading related to the topic :

    Port Federation Certificate Management Enhancement from SSO
    https://communities.ca.com/ideas/235738112

    To benefit from that functionality, you'll need to upgrade your
    environment to at least 12.6. We recommend you to upgrade to 12.8.

     

    KB : KB000098292