These steps should help address this problem as noted in recent advisory quickly
Symptoms if expired out of box certificates not been addressed
- New provisioning server/connector server connections or connection updates for example when acquiring new endpoints may not work
- If you have made a change on any of your IDM servers and then restart your server for the change to take effect, you may see server restart may not happen due to failing connections to the provisioning/connector servers etc.
- You may see the following messages in your IM application server logs:
Caused by: java.security.cert.CertPathValidatorException: timestamp check failed
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat Nov 25 01:26:01 MST 2017
- You may see the following messages in your DSA warn logs:
[56] 20171127.100608.055 WARN : Certificate 'D:\SMA\CA\Directory\dxserver\config\ssld\personalities/hostname-imps-router.pem' is outside of validity date range
[56] 20171127.100608.055 WARN : Unable to get certificate from 'D:\SMA\CA\Directory\dxserver\config\ssld\personalities/hostname-imps-router.pem'
[56] 20171127.100608.055 WARN : set_cert_stuff failed
[56] 20171127.100608.055 WARN : Cannot get personality
How to Confirm if certificates are out of the box and have expired
1) Provisioning certificates
On each provisioning server, running the below command will show if the expiration date is Oct 6.
C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
notAfter=Oct 6 08:25:50 2017 GMT -> in this example, this means certificate expired on Oct 6
2) DSA certificates
------------------------------
On the machines where the Provisioning Directory is installed, open a command prompt and run the command:
dxcertgen report
This command will list all the certificates and their validity dates. Expired certificates will be marked as invalid. Here is an example:
- <hostname>-impd-notify.pem -
certificate : 1
version : 3
serialNum : 311
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi
ces
notBefore : Nov 28 18:26:00 2007 GMT
notAfter : Nov 25 18:26:00 2017 GMT
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_
server
status : *** INVALID ***
- <hostname>-imps-router.pem -
certificate : 1
version : 3
serialNum : 311
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi
ces
notBefore : Nov 28 18:26:00 2007 GMT
notAfter : Nov 25 18:26:00 2017 GMT
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_
server
status : *** INVALID ***
If the certificates have not expired, take note of the notAfter date for future reference.
Steps to replace certificates
If certificates are OOTB and have expired, proceed as follows:
- Note the attached ootb_certs.zip (relevant only for IDM 12.6X releases) and ootb_certs_SHA1.zip (relevant only for IDM 12.5X releases) on this post.
Replace Provisioning Server Router DSA certs
On each Provisioning Server (where you typically have imps-router DSA running):
- Go to" Attach" towards bottom of post, and extract the relevant zip attachment (either ootb_certs.zip if on 12.6X or ootb_certs_SHA1.zip if on 12.5X) on this post.
- Navigate to the pd folder and copy the impd_trusted.pem file to DXHOME\config\ssld location, and overwrite the existing one.
- From the same pd folder, rename the provided imps-router.pem to reflect the actual local hostname, and copy that into your DXHOME\config\ssld\personalities location and overwrite the existing one.
- Delete any other .pem files related to 'imps' and 'impd' you have in there.
- Basically on each Provisioning Sever host, you will end up with only one router .pem file reflecting the local router name.
- Restart your DSA performing 'dxserver stop all' followed by 'dxserver start all' command.
Replace Provisioning Directory DSA certs
On each Provisioning Directory Server (where you typically have impd-main, impd-inc, impd-co and impd-notify DSAs running):
- Take the same impd_trusted.pem used above in 1), and copy it to your DXHOME\config\ssld location and overwrite the existing one.
- From that same ootb_certs.zip/ootb_certs_SHA1.zip extraction and pd folder, rename the provided impd files (ex. hostname-impd-co.pem) to reflect your local data DSA names, and then copy the files into your DXHOME\config\ssld\personalities location and overwrite the existing ones.
- Delete any other .pem files related to 'imps' and 'impd' you have in there.
- Basically on each Provisioning Directory host, you will end up with only four impd .pem files reflecting the four local data DSA names.
- Restart your DSAs performing 'dxserver stop all' followed by 'dxserver start all' command.
Replace Provisioning Manager Certs
For Prov Manager you replace in two places.
1) from package path "prov/data/tls/" -> on the host under <Provisioning Manager>/data/tls/
2) from package path "prov/data/tls/client/ -> on the host under <Provisioning Manager>/data/tls/client
3) Restart Provisioning Manager.
Replace Provisioning Server Certs
For Prov Server you replace in just one place.
1) from package path "prov/data/tls/" -> on the host under <Provisioning Server>/data/tls/
2) Restart Provisioning Server.
Now you can follow information in Update Your Provisioning Certificates - CA Identity Manager - 12.6.8 - CA Technologies Documentation starting at:
NOTE: For both of the above, if you are running Java/JRE 1.5, the provided keytool command in the documentation will not work as that version doesn't support '-importkeystore' option. Your workaround would be to upgrade Java/JRE to at least 1.7 and the command should work.
NOTE: 'Use Case 2' also applies to IDM 12.5X release (or you can use this TEC1561732 for the same)