KB Article #180349
Manual procedure to update the default SSO certificate in CG 1.1.3
Problem
The current certificate chain delivered in CG (embedded Passport installation) will expire in 2019 (PassportSSOCA on August 9th). Central Governance 1.1.3 uses this certificate for internal services connectivity (like Passport, Sentinel).
Once the certificate is expired Central Governance installation will stop working.
For Central Governance 1.1.3, a fix to renew the certificates is delivered in CG 1.1.3 SP9.
In the situation where updating to CG 1.1.3 SP9 is not possible before August 9th, below is a manual procedure to update the SSO certificate.
Resolution
- Make sure that CG is stopped. Download the attached archive and extract it. It contains 2 files: sso_download.jks and trustore_download.jks.
- In the folder where you have downloaded the attached sso_download.jks, generate a new sso.jks using the following keytool command (the keytool executable is located in the bin directory of the JDK from the CG installation folder):
keytool -importkeystore -srckeystore sso_download.jks -destkeystore sso.jks -srcstoretype jks -deststoretype jks -srckeypass Secret01 -srcstorepass Secret01 -destkeypass Custom01 -deststorepass Custom01 -alias passportsso
For destkeypass and deststorepass use the EncryptionKey password value set for the CG installation for which you need to update the sso.jks.
- In the folder where you have downloaded the truststore_download.jks, generate a new truststore.jks, with two new certificates, using the following 2 keytool commands:
keytool -importkeystore -srckeystore truststore_download.jks -destkeystore truststore.jks -srcstoretype jks -deststoretype jks -srcstorepass Secret01 -deststorepass Secret02 -alias passportca
keytool -importkeystore -srckeystore truststore_download.jks -destkeystore truststore.jks -srcstoretype jks -deststoretype jks -srcstorepass Secret01 -deststorepass Secret02 -alias passportca2
For deststorepass use the EncryptionKey password value set for the CG installation for which you need to update the truststore.jks.
- Copy both newly created sso.jks and truststore.jks in the two following CG folders:
- CentralGovernance\runtime\com.axway.nodes.passport_NNNN\passport\conf\security
- CentralGovernance\runtime\com.axway.nodes.passport_NNNN\passport\sso\webapps\ROOT\
- Start CG.
Remarks and scenarios regarding Sentinel:
Sentinel scenario | Comment |
External Sentinel 4.2.0 SP15 P3 or higher and default certificates | This is the recommended solution: Sentinel 4.2.0 SP15 P3 (or higher) contains the updated certificate |
External Sentinel lower than 4.2.0 SP15 P3 and default certificates | Upgrade Sentinel to 4.2.0 SP 15 P3 (or higher) or Follow the procedure to manually replace the certificates described in KB 180315 |
External Sentinel and custom certificates | Sentinel specific actions are described in KB 180475 |
Sentinel embedded (upgraded from 1.1.2) | Sentinel specific actions are described in KB 180481 |