KB Article #180349

Manual procedure to update the default SSO certificate in CG 1.1.3


Problem

The current certificate chain delivered in CG (embedded Passport installation) will expire in 2019 (PassportSSOCA on August 9th). Central Governance 1.1.3 uses this certificate for internal services connectivity (like Passport, Sentinel).

Once the certificate is expired Central Governance installation will stop working.

For Central Governance 1.1.3, a fix to renew the certificates is delivered in CG 1.1.3 SP9.

In the situation where updating to CG 1.1.3 SP9 is not possible before August 9th, below is a manual procedure to update the SSO certificate.


Resolution

  • Make sure that CG is stopped. Download the attached archive and extract it. It contains 2 files: sso_download.jks and trustore_download.jks.

  • In the folder where you have downloaded the attached sso_download.jks, generate a new sso.jks using the following keytool command (the keytool executable is located in the bin directory of the JDK from the CG installation folder):

keytool -importkeystore -srckeystore sso_download.jks -destkeystore sso.jks -srcstoretype jks -deststoretype jks -srckeypass Secret01 -srcstorepass Secret01 -destkeypass Custom01 -deststorepass Custom01 -alias passportsso


For destkeypass and deststorepass use the EncryptionKey password value set for the CG installation for which you need to update the sso.jks.

  • In the folder where you have downloaded the truststore_download.jks, generate a new truststore.jks, with two new certificates, using the following 2 keytool commands:

keytool -importkeystore -srckeystore truststore_download.jks -destkeystore truststore.jks -srcstoretype jks -deststoretype jks -srcstorepass Secret01 -deststorepass Secret02 -alias passportca



keytool -importkeystore -srckeystore truststore_download.jks -destkeystore truststore.jks -srcstoretype jks -deststoretype jks -srcstorepass Secret01 -deststorepass Secret02 -alias passportca2


For deststorepass use the EncryptionKey password value set for the CG installation for which you need to update the truststore.jks.


  • Copy both newly created sso.jks and truststore.jks in the two following CG folders:

    • CentralGovernance\runtime\com.axway.nodes.passport_NNNN\passport\conf\security
    • CentralGovernance\runtime\com.axway.nodes.passport_NNNN\passport\sso\webapps\ROOT\

  • Start CG.



Remarks and scenarios regarding Sentinel:

Sentinel scenario

Comment

External Sentinel 4.2.0 SP15 P3 or higher and default certificates

This is the recommended solution:

Sentinel 4.2.0 SP15 P3 (or higher) contains the updated certificate

External Sentinel lower than 4.2.0 SP15 P3 and default certificates

Upgrade Sentinel to 4.2.0 SP 15 P3 (or higher)

or

Follow the procedure to manually replace the certificates described in KB 180315

External Sentinel and custom certificates

Sentinel specific actions are described in KB 180475

Sentinel embedded (upgraded from 1.1.2)

Sentinel specific actions are described in KB 180481


Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.