What this Guide Covers:
Prerequisites
- zip (Click hereto download and extract the new certificates.)
- Java Connector Server Password
- Backup following folders
- <DXHOME>\config\ssld
- <Provisioning Server>\data\tls\
How to check if certs are expired
- Make sure JAVA_HOME is set
This method can be done in 3 ways:
- Using the Openssl tool
Run command: C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem
The above example shows that the current cert is not expired. An expired one will show:
notAfter=Oct 6 08:25:50 2017 GMT -> in this example, this means certificate expired on Oct 6
2. SSLSHOPPER Website
This website will help verify your pem files for you:
https://www.sslshopper.com/certificate-decoder.html
An example of the .pem locations are:
/opt/CA/Directory/dxserver/config/ssld/personalities
Copy and paste the contents in there and an image like below will show you if it’s verified.
3. Using the keytool command (Only works with Java JDK 1.7 and higher)
Command ran:
keytool -printcert -file et2_cacert.pem
This command can be used to check all pem files.
ootb_certs.zip and ootb_certs_SHA1 .zip contents
Replace Provisioning Server Router DSA certs
On each Provisioning Server (where imps-router DSA running):
Navigate to the pd folder on ootb_certs.zip
Copy the impd_trusted.pem file to DXHOME\config\ssld location, and overwrite the existing one. From the same pd folder, rename the provided imps-router.pem
Note: Make sure the hostname is named correctly!
to the actual local hostname, and copy that into your DXHOME\config\ssld\personalities location and overwrite the existing one.
Delete any other “.pem” files related to 'imps' and 'impd' you have in there.
Restart your DSA performing 'dxserver stop all' followed by 'dxserver start all' command.
Replace Provisioning Server Certs
- For Prov Server you replace in just one place.
1) From package path "prov/data/tls/"
Insert the file from ootb_certs.zip into <Provisioning Server>/data/tls/ as seem in screenshot below.
2) Restart Provisioning Server. This can be found in the Services window,
Replace Provisioning Directory DSA certs
On each Provisioning Directory Server (where you typically have impd-main, impd-inc, impd-co and impd-notify DSAs running):
Shut these DSA’s down
- Take the same impd_trusted.pem used above in the pd folder on ootb_certs.zip and copy it to your DXHOME\config\ssld location and overwrite the existing one.
- From that same ootb_certs.zip/ootb_certs_SHA1.zip extraction and pd folder, rename the provided impd files (ex. hostname-impd-co.pem) to reflect your local data DSA names, and then copy the files into your DXHOME\config\ssld\personalities location and overwrite the existing ones.
Note: Make sure the hostname is named correctly!
- Delete any other .pem files related to 'imps' and 'impd' you have in there.
- Restart your DSAs by performing 'dxserver stop all' followed by 'dxserver start all' command.
Replace Provisioning Manager Certs
For Provisioning Manager you replace in two places.
1) from package path "prov/data/tls/" -> on the host under <Provisioning Manager>/data/tls/
2) from package path "prov/data/tls/client/ -> on the host under <Provisioning Manager>/data/tls/client
3) Restart Provisioning Manager.
Replace Provisioning Server Certs
For Provisioning Server you replace in just one place.
1) from package path "prov/data/tls/" -> on the host under <Provisioning Server>/data/tls/
2) Restart Provisioning Server.
Replace jiam.jar file
Now you can follow information in https://docops.ca.com/ca-identity-manager/12-6-8/EN/upgrading/upgrade-provisioning-components/update-your-provisioning-certificates starting at:
NOTE: For both of the above, if you are running Java/JRE 1.5, the provided keytool command in the documentation will not work as that version doesn't support '-importkeystore' option. Your workaround would be to upgrade Java/JRE to at least 1.7 and the command should work.
NOTE: 'Use Case 2' also applies to IDM 12.5X release (or you can use this TEC1561732 for the same)
In Jboss 6.x go to this location:
<Jboss_Home>\standalone\deployments\iam_im.ear\library
In JBoss 5.x go to this location:
jboss-5.1.0.GA\server\default\deploy\iam_im.ear\library
Replace the jiam.jar file here with the one located in ootb_certs\jiam Pick the correct IDM version you are currently using in your environment.
Contents of ootb_certs\jiam:
Additional Steps for Identity Manager 12.6.3 and below
How to configure Provisioning Server certificate for the IM Application Server in order to configure IM Directory object…
The JDK cacerts needs to be updated. Run this command using the Provisioning Server pem file.
keytool.exe -keystore <location of the jre\lib\security\cacerts> -import -file <location of the ProvServerCert.der> -trustcacerts -alias CAIMProvSrv
References
Docops:
https://docops.ca.com/ca-identity-manager/12-6-8/EN/upgrading/upgrade-provisioning-components/update-your-provisioning-certificates#UpdateYourProvisioningCertificates-ProvisioningDirectoryandProvisioningServeronDifferentSystems
CA Communities:
https://communities.ca.com/message/242012911-steps-to-address-expired-6-oct-2017-provisioning-certificates-in-identityminder
Proactive Notification:
https://support.ca.com/us/product-content/status/announcement-documents/2017/ca---proactive-notification---idmgr---advisory---aidmgr-100477.html