1. Check the CG version

If the CG version is lower than 1.1.3 SP8 please replace first the SSO certificates (procedure described in KB 180349) and then apply the steps below.

If the CG version is 1.1.3 SP8 or higher you can proceed with implementing the steps below.

2. Identify the keystore & truststore in the CG and Sentinel configurations

Check the following xml files to determine the keystore and trustore used by Central Governance and Sentinel:

For Sentinel: <Sentinel dir>/Sentinel/jetty/etc/jetty-ssl.xml

Example :
<Set name="KeyStore">/home/userdpg/Sentinel/Sentinel/conf/security/CA_EU2_Sentinel.p12</Set>
<Set name="TrustStore">/home/userdpg/CG113SP7/CentralGovernance/data/truststore.jks</Set>

For CG: <CG dir>/runtime/<passport node>/passport/sso/webapps/ROOT/WEB-INF/web.xml

Example:
<context-param>
<param-name>keyStore</param-name>
<param-value>sso.jks</param-value>
</context-param>
<context-param>
<param-name>trustStore</param-name>
<param-value>customProd.jks</param-value>
</context-param>

You have to identify the CAs used by CG and Sentinel. The CG and Sentinel keystores typically contain certificate chains. The CA is the first trusted certificate in the chain starting from the end user.

For SSO between CG and Sentinel to work, the following conditions should be met:

• Central Governance truststore contains the CA used by Sentinel
• Sentinel truststore contains the CA used by Central Governance.
• Sentinel truststore contains the SSO certificates required by Central Governance, which are located in <Sentinel dir>/conf/security/truststoreSSO.jks

3. Update Sentinel truststore

Sentinel truststore is used for the SSO connection from CG to Sentinel.

First, check the contents of Sentinel truststore by executing the following command on Sentinel:

keytool -v -list -keystore <path to Sentinel truststore>

Import the public part of PassPort CA in the Sentinel truststore as follows:

Step 1: Retrieve the public part of Passport CA

For Sentinel lower than Sp15 Patch 3

Export the public part of Passport CA from CG by executing the following command in CG:

keytool -export -alias passportsso -file Passport_CA.cer <path to CG sso.jks>

For Sentinel SP15 Patch 3 and higher

Export the public part of Passport CA from Sentinel by executing the following command in Sentinel. You will then need to provide the password for truststoreSSO.jks.

keytool -export -alias passport -file Passport_CA.cer <path to Sentinel truststoreSSO.jks>

In this command:

• passport is the alias of Passport CA in truststoreSSO.jks
• Passport_CA.cer is the file to which the public part of the Passport CA certificate is exported

Step 2: Import the public part of Passport CA to the Sentinel truststore

For Sentinel lower than SP15 Patch 3

Execute the following command on Sentinel:

keytool -import -file Passport_CA.cer -alias Passport_CA_new -keystore <path to Sentinel truststore jks>

and then provide the truststore.jks password

For Sentinel SP15 Patch 3 and higher

Execute the following command on Sentinel:

keytool -importkeystore -srckeystore <path to truststoreSSO.jks> -destkeystore <path to Sentinel truststore jks>

and then provide truststoreSSO.jks and Sentinel truststore passwords

Step 3: Restart Sentinel for the update to become effective

In case Sentinel doesn't start (for SP15 patch 3 and higher) remove <Sentinel dir>/conf/security/PAMKeystore.jks