Problem

The default Axway CAS passportsso certificate will expire on 2nd of December 2017.
Affected products that might use CAS SSO: AISuiteDesigner, Interplay, DataStore, PassPort.

In order to ensure that CAS SSO is used and you're affected by this, check the followings:

The example below corresponds to AISuiteDesigner (repeat the steps for the other products registered in PassPort):

1. Browse in Passport UI -> Administration --> Products --> AISuiteDesigner --> default --> AISuiteDesigner ,

2. Check if the "SSO new URL" box is checked.

If the box "SSO new URL" is checked, this means that CAS SSO is used.
In this case go to step3 . Otherwise, CAS SSO is not used – no need to replace the certificate.

3. Check the certificate used in PassPort:

Execute the command keytool -list -v -keystore ../PassPort/webapps/WEB-INF/ssofilter.jks
The password is specified in the file ../PassPort/webapps/WEB-INF/ssofilter.properties
If the output of the command displays an Axway certificate that will expire on December 2^nd then you’ll need to replace the certificate – check resolution.
Otherwise no need to replace the certificate.

Output extract:

Owner: CN=SSOFilter, OU=R&D, O=Axway, L=Bucharest, C=RO
Issuer: CN=PassPort SSO CA, O=Axway, C=FR
Serial number: 1a
Valid from: Tue Dec 01 11:06:00 EET 2015 until: Sat Dec 02 11:06:00 EET 2017

Note: Axway strongly recommends to change the default certificates with your company certificates.

Resolution

Please refer to page 33 of Interplay Security Guide for changing and replacing the certificates (sections Change certificates used for CAS SSO and Change the client certificate of the SSO filter).

The steps are the following:

1. Create or obtain your own company certificates: Root, CA, User Certificate.

Root certificate in public format (.cer, .pem, .crt), CA and User certificate in PKCS12 (complete chain).

2. On PassPort side:

I.Change the PassPort SSO CA (root) within truststore.jks

a. Navigate to Axway/PassPort/webapps/WEB-INF/
b. Execute:

cp truststore.jks truststore_custom.jks
keytool -importcert -trustcacerts -file <fileContainingCA.cer> -keystore truststore_custom.jks -alias <nameOfCA>
keytool -delete -alias passportca -keystore truststore_custom.jks

The default password of this truststore is axway*.

II.Change the PassPort SSO user and CA certificatewithin the ssofilter.jks

a. Execute:

cp ssofilter.jks ssofilter_custom.jks
keytool -importkeystore -v -srckeystore your_custom_certificate_chain.p12 -srcstoretype pkcs12 -destkeystore ssofilter_custom.jks

b. Delete the default certificate and rename the imported one:

keytool -v -keystore ssofilter_custom.jks -delete -alias passportssofilter
keytool -v -keystore ssofilter_custom.jks -changealias -alias <the alias of your custom user cert> -destalias passportssofilter

c. Edit the ssofilter.properties and use the _custom JKS files:

keyStore=WEB-INF/ssofilter_custom.jks
...
trustStore=WEB-INF/truststore_custom.jks

The default password of this truststore is axway*.

3. On Product side (Interplay, Designer or Datastore):

Execute Step 2.I. and 2.II. on Interplay, Designer, Datastore side by importing the custom certificates in the custom truststore_custom.jks and ssofilter_custom.jks files.

The JKS files are found in the following paths for each product:

Designer/war/WEB-INF/
DatastoreClient/war/WEB-INF/
InterPlay/war/WEB-INF/

Note 1: We recommended using _custom.jks files so that these are not overwritten with default .jks files after applying a Service Pack.