KB Article #181851

How to verify the expiration date for TSIM / Secure Relay Router Agent certificates


Problem:

How can we verify the exact expiration date for these certificates in TSIM or Secure Relay Router Agent?


Resolution:

In order to secure the connection between the Master Agent and Router Agent, 3 certificates are used:

  • One user certificate for the Router Agent in PKCS#12 format
  • One user certificate for the Master Agent in PKCS#12 format
  • A Certificate Authority responsible for signing the above certificates. It should be stored in PEM format and will be necessary for both the Router Agent and the Master Agent
  • On TSIM

A) There can be two Secure Relay components, verify the location of the currently used certificates for both of them as instructed below.

Note!! It is very likely that the paths will be the same for the AS and IS but it is better to verify.


  1. For the AS Secure Relay component, check in $ACTISEDI/internet/server/classes/SecureRelayApplication.xml if a master agent is configured, if yes look for the certificateKey tag and for the caCert tag, they will show the paths to the currently used certificates.
    Same information can be checked in GUI under Configuration > Base Data > Parameter Tables > SecureRelayApplication.xml for edislave

    i.e.
    <SecureRelayConfiguration>
    <masterAgent>
    <certificateKey>internet/server/classes/SecureRelayMasterAgent.p12</certificateKey>
    <caCert>internet/server/classes/SecureRelayCA.pem</caCert>
    <passKey>test</passKey>
    </masterAgent>

    Note!! If the path is not an absolute path, then it is relative to $ACTISEDI . In the above example internet/server/classes/SecureRelayMasterAgent.p12 refers to $ACTISEDI/ internet/server/classes/SecureRelayMasterAgent.p12

  2. For the IS Secure Relay component, check in $ACTISEDI/is/instances/is0/config/sr/SecureRelayApplication.xml if a master agent is configured, if yes look for the certificateKey tag and for the caCert tag, they will show the paths to the currently used certificates
    Same information can be checked in GUI under Configuration > Base Data > Parameter Tables > SecureRelayApplication.xml for n0is0

    i.e.
    <masterAgent>
    <certificateKey>internet/server/classes/SecureRelayMasterAgent.p12</certificateKey>
    <caCert>internet/server/classes/SecureRelayCA.pem</caCert>
    <passKey>test</passKey>
    </masterAgent>

    Note!! We observe the 2 certificate paths are the same as for the AS, the two components are using the same certificates
    Note2!! In this example Secure Relay application was running only on n0is0, you should perform the above check for all instances where Secure Relay application is running

B) Using the extracted paths, verify the validity for the certificates using openssl.
Based on the examples above, the CLI commands will be the following (note the different commands depending on the certificate format - PKCS#12 or PEM):

openssl pkcs12 -in $ACTISEDI/internet/server/classes/SecureRelayMasterAgent.p12 -nokeys | openssl x509 -noout -enddate
Enter Import Password:
MAC verified OK
notAfter=Nov3 23:59:59 2021 GMT

Note!! The above commands will ask for the password used to encrypt the certificate, in this case the password was “test”

openssl x509 -in $ACTISEDI/internet/server/classes/SecureRelayCA.pem| openssl x509 -noout -enddate
notAfter=Nov3 23:59:59 2021 GMT

  • On Secure Relay Router Agent

A) Verify the location of the currently used certificates by looking in <SR_installation_directory>/conf/configuration.xml for the CACertificate tag and for the UserCertificate tag

i.e.
<CACertificate>/home/editst/Axway/certs/SecureRelayCA.pem</CACertificate>
<UserCertificate>/home/editst/Axway/certs/SecureRelayRouterAgent.p12</UserCertificate>
<PasswordFile>/home/editst/Axway/certs/XsrPwd.dat</PasswordFile>

B) Using the extracted paths, verify the validity for the certificates using openssl.
Based on the examples above, the CLI commands will be the following (note the different commands depending on the certificate format - PKCS#12 or PEM):

openssl pkcs12 -in /home/editst/Axway/certs/SecureRelayRouterAgent.p12 -nokeys | openssl x509 -noout -enddate
Enter Import Password:
MAC verified OK
notAfter=Nov3 23:59:59 2021 GMT

Note!! The above commands will ask for the password used to encrypt the certificate, in this case the password was “test”

openssl x509 -in /home/editst/Axway/certs/SecureRelayCA.pem| openssl x509 -noout -enddate
notAfter=Nov3 23:59:59 2021 GMT


========================

Please check this knowledge article that informs you how to generate and replace certificates:

https://support.axway.com/kb/181853/language/en

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.