This is a follow up to prior notifications sent out about the CA Identity Manager certificate expiration that occurred on Oct. 6th. This will bring you up to date with the status of this situation as well as provide instructions for you to use if you haven’t yet replaced the certs. If you have already taken action please read the Status Update section below.
PRODUCT(S) AFFECTED: CA Identity Manager RELEASE: 12.x
The CA provisioning server ships with out of the box certificates that for version 12.x were due to expire on 6th October 2017. If you are using your own certificate or have deployed 14.0 or later, this does not affect you, as from 14.0 GA, the provisioning certificate shipped with the product has been updated with a newer one.
Requests sent to the provisioning server fail; directory replication failure; provisioning server service not starting; connector server requests failure; IM environment fails to start; IM provisioning directory communication failure.
For any 12.6.08 (SP8) and earlier releases, if you are using the out of the box provisioning server certificate, it will have expired on 6th October 2017 which will cause any of the following: requests being sent to a provisioning server to fail; directory replication failure; provisioning server service not starting; connector server requests failure; IM environment fails to start; IM provisioning directory communication failure.
STATUS UPDATE SINCE LAST COMMUNICATION:
Due to this problem, an installation or upgrade to existing 12.x SPs or CRs will fail. As a result, we have replaced the following on our Downloads and Docops sites:
12.6 SP4 CR4
12.6 SP5 CR2
12.6 SP6 CR1
12.6 SP7 (12.6.7)
12.6 SP8 (12.6.8)
12.6 SP8 CR1
The only changes made to these versions are updates to the certificates related to the CA Directory in the provisioning server and provisioning directory. There are certificates for the other components, including the provisioning server, that will still need to be manually updated after install or upgrade. (Follow instructions below in the Problem Resolution section to replace the certs after upgrade/install.)
If you have downloaded any of these prior versions, please discard them and use the new downloads for an upgrade or fresh install. If you have already replaced your certs, no action is needed unless you plan a new install or upgrade to one of these versions. The Docops pages for each of the refreshed CRs have been updated with instructions on how to determine the difference between the original and updated CRs.
SPs can be located on http://support.ca.com Download Management area. CRs are on http://docops.ca.com
We have Provisioning Certificate Utilities to enable you to verify whether the CA Identity Manager components are using the new certificates. There is also a link to these for each of the CRs on Docops and can be found here: https://docops.ca.com/ca-identity-manager/12-6-8/EN/upgrading/upgrade-provisioning-components/ca-identity-manager-certificate-utilities
(The instructions and downloads are the same for each SP and CR)
Communities post on this topic to follow: https://communities.ca.com/thread/241785381-steps-to-address-expired-6-oct-2017-provisioning-certificates-in-identityminder
Follow the instructions in the Important Notice in the documentation set for your release at:
CA Identity Manager 12.6.08 (SP8) - https://docops.ca.com/ca-identity-manager/12-6-8/EN/release-information/release-notes-12-6-08-cumulative-patches
CA Identity Manager 12.6.07 (SP7) - https://docops.ca.com/ca-identity-manager/12-6-07/en/release-information/release-notes-12-6-07-cumulative-patcheshttps://docops.ca.com/ca-identity-manager/12-6-07/en/release-information/release-notes-12-6-07-cumulative-patches
CA Identity Manager 12.6.06 (SP6) - https://docops.ca.com/ca-identity-manager/12-6-6/en/release-information/release-notes-12-6-06-cumulative-patches
CA Identity Manager 12.6.05 (SP5) - https://docops.ca.com/ca-identity-manager/12-6-5/EN/release-information/release-notes-12-6-05-cumulative-patches
If you are using a release prior to 12.6.04 (SP4), please refer to the instructions for 12.6.04 (SP4) as these instructions are consistent and apply to all prior releases.
For End of Service version 12.5, please see the following tech doc:
If you have any questions about this Critical Alert, please contact CA Support.
CA Support Team