KB Article #181853

How to generate and replace TSIM / Secure Relay Router Agent certificates

Problem

How to replace TSIM / Secure Relay Router Agent certificates

Resolution

1. Prepare the new certificates

In order to secure the connection between the Master Agent and Router Agent, 3 certificates are needed:

  • One user certificate for the Router Agent in PKCS#12 format
  • One user certificate for the Master Agent in PKCS#12 format
  • A Certificate Authority responsible for signing the above certificates. It should be stored in PEM format and will be necessary for both the Router Agent and the Master Agent


In the past, sample certificates used to be provided by the Secure Relay team, however in the latest releases this is no longer an option.


It is therefore needed for customers to have replacement certificates when needed.

For a detailed description of each certificate as well as examples on how to correctly generate these certificates, please check the "Certificates" section from the Secure Relay Router Agent 2.7.4 Installation Guide, available here



2. Replace the certificates in the Secure Relay Router Agent

a) Locate the existing certificates and password file by looking in <SR_installation_directory>/conf/configuration.xml

i.e.: sed -n '/CACertificate/,/PasswordFile/p' /home/editst/Axway/SecureRelayRA/conf/configuration.xml
<CACertificate>/home/editst/Axway/certs/SecureRelayCA.pem</CACertificate>
<UserCertificate>/home/editst/Axway/certs/SecureRelayRouterAgent.p12</UserCertificate>
<PasswordFile>/home/editst/Axway/certs/XsrPwd.dat</PasswordFile>


b) Upload the ca certificateand router agent certificate on the Secure Relay Router Agent host, for simplicity they can be placed in same location as the existing certificates

i.e.: ls -l /home/editst/Axway/certs/
total 36
-rw-r--r--. 1 editst tsim 1330 Oct 14 14:22 ca_certificate.pem
-rw-r--r--. 1 editst tsim 2541 Oct 14 14:22 ra_certificate.p12
-rw-r--r--. 1 editst tsim 1363 Feb 22 2018 SecureRelayCA.pem
-rw-r--r--. 1 editst tsim 2650 Feb 22 2018 SecureRelayMasterAgent.p12
-rw-r--r--. 1 editst tsim 2650 Feb 22 2018 SecureRelayRouterAgent.p12
-rw-r--r--. 1 editst tsim 32 May 9 2018 sr.key
-rw-r--r--. 1 editst tsim 32 May 9 2018 sr.salt
-rw-r--r--. 1 editst tsim 54 May 9 2018 XsrPwd.dat


ca_certificate.pem – the new Certificate Authority (in PEM format) needed on both the Master Agent, and the Router
ra_certificate.p12 – the new Router Agent user certificate (defined password: Axway )


c) Update the configuration file and verify the new certificates are referenced

i.e.: sed -n '/CACertificate/,/PasswordFile/p' /home/editst/Axway/SecureRelayRA/conf/configuration.xml
<CACertificate>/home/editst/Axway/certs/ca_certificate.pem</CACertificate>
<UserCertificate>/home/editst/Axway/certs/ra_certificate.p12</UserCertificate>
<PasswordFile>/home/editst/Axway/certs/XsrPwd.dat</PasswordFile>


d) If the password for the new certificates is different from the password of the old certificates, generate a new encrypted password file as follows

- make a backup of existing password file

i.e.: mv XsrPwd.dat old_XsrPwd.dat

- create a test file containing the new password in clear text

i.e.: echo Axway > newpass

- execute the SR_installation_directory>/bin/SRencryptPwd.sh script to generate the new password file

i.e.: /home/editst/Axway/SecureRelayRA/bin/SRencryptPwd.sh newpass XsrPwd.dat
Encrypting password file
Encrypting password from newpass to XsrPwd.dat
Encryption successful

- remove the test file containing the new password in clear text

i.e.: rm newpass


e) Restart Secure Relay Router Agent using the SR_installation_directory>/bin/stopSR.sh and SR_installation_directory>/bin/startSR.sh scripts



3. Replace the certificates in TSIM

a) Locate the existing certificates: in the TSIM GUI under Configuration > Base Data > Parameter Tables check the SecureRelayApplication.xml configuration files for AS and IS

i.e.: in our installation both SecureRelayApplication.xml files (for AS and IS) are referencing the same certificate
<SecureRelayConfiguration>
<masterAgent>
<certificateKey>internet/server/classes/SecureRelayMasterAgent.p12</certificateKey>
<caCert>internet/server/classes/SecureRelayCA.pem</caCert>
<passKey>test</passKey>
</masterAgent>


b) Upload the ca certificate and master agent certificate on the TSIM host, for simplicity they can be placed in same location as the existing certificates

i.e.: ls -ltr $ACTISEDI/internet/server/classes/ |egrep "pem|p12"
-rwxrwxr-x. 1 tsim tsim 1363 Jan 7 2021 SecureRelayCA.pem
-rwxrwxr-x. 1 tsim tsim 2650 Jan 7 2021 SecureRelayMasterAgent.p12
-rw-rw-r-- 1 tsim tsim 1330 Oct 14 14:37 ca_certificate.pem
-rw-rw-r-- 1 tsim tsim 2541 Oct 14 14:37 ma_certificate.p12

ca_certificate.pem – the new Certificate Authority (in PEM format) needed on both the Master Agent, and the Router
ma_certificate.p12 – the new Router Agent user certificate (defined password: Axway )


c) Update the configuration files: in the TSIM GUI under Configuration > Base Data > Parameter Tables update the SecureRelayApplication.xml configuration files for AS and IS to reference the new certificates and then activate the changes

i.e.:

<SecureRelayConfiguration>
<masterAgent>
<certificateKey>internet/server/classes/ma_certificate.p12</certificateKey>
<caCert>internet/server/classes/ca_certificate.pem</caCert>
<passKey>Axway</passKey>
</masterAgent>

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.