KB Article #180351

Manual procedure to update the default SSO certificate in CG 1.1.2

Problem

The current certificate chain delivered in CG (embedded Passport installation) will expire in 2019 (PassportSSOCA on August 9th). Central Governance 1.1.2 uses this certificate for internal services connectivity (like Passport, Sentinel).

Once the certificate is expired Central Governance installation will stop working.

For Central Governance 1.1.2, the fix is delivered as this manual procedure.


Resolution

  • Make sure that CG is stopped. Download the attached archive and extract it. It contains 2 files: sso-provided.jks and trustore_provided.jks.
  • In the folder where you have downloaded the attached sso_download.jks, generate a new sso.jks using the following keytool command (the keytool executable is located in the bin directory of the JDK from the CG installation folder):

keytool -importkeystore -srckeystore sso_provided.jks -destkeystore sso.jks -srcstoretype jks -deststoretype jks -srckeypass Secret01 -srcstorepass Secret01 -destkeypass CustomPass -deststorepass CustomPass -alias passportsso


For destkeypass and deststorepass use the EncryptionKey password value set for the CG installation for which you need to update the sso.jks.


  • In the folder where you have downloaded the truststore_provided.jks, generate a new truststore.jks, with two new certificates, using the following 2 keytool commands:

keytool -importkeystore -srckeystore truststore_provided.jks -destkeystore truststore.jks -srcstoretype jks -deststoretype jks -srcstorepass Secret01 -deststorepass CustomPass -alias passportca



keytool -importkeystore -srckeystore truststore_provided.jks -destkeystore truststore.jks -srcstoretype jks -deststoretype jks -srcstorepass Secret01 -deststorepass CustomPass -alias passportca2


For deststorepass use the EncryptionKey password value set for the CG installation for which you need to update the truststore.jks.


  • Copy the new sso.jks and truststore.jks into the two following CG folders:
    • CentralGovernance\runtime\com.axway.nodes.passport_NNNN\passport\conf\security
    • CentralGovernance\runtime\com.axway.nodes.passport_NNNN\passport\sso\webapps\ROOT\

  • Start CG.
  • Access the PassPort UI on port 6453(https://<hostname where CG is installed>:6453). Click on Entities and click on Intermediate CA Certificates. Select the newly created and imported certificate and click the "Trust" check box. Save and exit. Unless this was changed previously, the default user to connect to the Passport interface is System/System01.
  • Restart CG

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.