Problem

Central Governance (1.0.3, 1.1.0, 1.1.1) Internal SSO Certificate Expiration

Resolution

The Axway default certificate delivered with CG 1.1.1 or below will expire on November 26^th 2016.

The Customers that did not change the default certificates will experience issues with their installed products.

We are encouraging our Customers to change the default certificates.

SSO Internal Certificate

CG 1.1.2 and above installed freshly (not from upgrade) comes with the new certificate, so you don't need to replace it manually.

However, upgrading to CG 1.1.2 or above does not replace the certificate automatically, you need to follow the procedure as highlighted below in the CG 1.1.1 or CG 1.1.2 upgraded from CG 1.1.1 section.

Otherwise, according to the CG version, below you can find the manual operations to perform. If the SSO Agent certificate (as it is known in PassPort) is not replaced, the impact is that the CG UI will not work anymore and implicitly accessing the CG UI will not be possible.

The flow execution and the Visibility service (server side) are not affected by this problem.

CG 1.x.y upgraded from CG 1.0.2

• If you are using CG 1.0.3 or above upgraded from CG 1.0.2, unzip the jks sso-fix-for-CG1.0.2-upgradedTo-CG1.0.3.zip
• Otherwise, follow the procedure corresponding to the CG version below.

CG 1.1.1 or CG 1.1.2 upgraded from CG 1.1.1

• Change the jks default password with the Key for encryption value provided at CG first configure/reconfigure page: NOTE: You can use the keytool.exe/sh provided in the embedded Java located <CG_Install_Dir/Java/<platform>/jre-<version>/bin>.
  • Reminder: the Key for encryption parameter is configured when running cgcmd configure for the first time after the Central Governance installation. The parameter is found in the section Access and Security, subsection Encryption. For more details, see documentation: Configuration and startup.
  • Unzip the attached archive sso-CG-1.1.1.zip
  • Run the following command to change the keystore password:
    • keytool -storepasswd -v -keystore sso.jks
    • Enter the current password: axway*
    • Enter the new password <Key for encryption>. Confirm the new password.
  • Run the following command to change the private key password:
    • keytool -keypasswd -alias passportsso -keystore sso.jks
    • Enter the new keystore password changed above, i.e. <Key for encryption>.
    • Enter the current key password: axway*
    • Enter the new key password <Key for encryption>. Confirm the new password.
  • To make sure that the password was successfully changed, run the command:

• keytool -list -keystore sso.jks
• Enter the password <Key for encryption>

• Make sure Central Governance is stopped and replace the jks file in the following two locations:

1. Go to <CG_install_dir>/runtime/<*passport*>/passport/conf/security
   • Backup the sso.jks outside the installation
   • Copy the new sso.jks file
2. Go to <CG_install_dir>/runtime/<*passport*>/passport/sso/webapps/ROOT

• Backup the sso.jks outside the installation
• Copy the new sso.jks file

CG 1.1.0 (or below)

• If you are using CG 1.0.3 or above upgraded from CG 1.0.2, unzip the jks sso-fix-for-CG1.0.2-upgradedTo-CG1.0.3.zip
• Otherwise, unzip the jks sso-CG-1.1.0.zip

• Make sure Central Governance is stopped and replace the jks file in the following two locations:
  1. Go to <CG_install_dir>/runtime/<*passport*>/passport/conf/security
     • Backup the sso.jks outside the installation
     • Copy the new sso.jks file
     
     
  2. Go to <CG_install_dir>/runtime/<*passport*>/passport/sso/webapps/ROOT

1. Backup the sso.jks outside the installation
2. Copy the new sso.jks file

SSO Browser Certificate (no action needed)

The SSO Browser Cerificate is generated automatically at startup. For changing certificate for browser please follow the documentation in User Guide: 'Replace SSO certificate'.