Problem

How to replace in Gateway and XSR RA the old sample certificates which expire on November 4th 2021

Old sample certificates:

SecureRelayCA.pem

SecureRelayMasterAgent.p12

SecureRelayRouterAgent.p12

p12 files' password: test

Resolution

* Fore more details about how to create your own certificates check this KB: https://support.axway.com/kb/181213/language/en

** If the newly created certificates have the SAME NAME and the SAME PASSWORD AS THE SAMPLE CERTIFICATES, consult this KB: https://support.axway.com/kb/181857/language/en

Steps to change the certificates in SecureRelay RA and Gateway

Example with new certificates:

SR_CA_2021.crt (contains the ROOT certificate)

SR_Router_2021.p12 (contains the USER certificate of RA + its associated private key)

SR_Master_2021.p12 (contains the USER certificate of MA + its associated private key)

p12 files' password: Axway@2021!

A) Router Agent side:

- open a console or cmd, go to \SecureRelay\bin\ directory

- launch the profile: profile.bat or profile.sh (win or unix)

- stop Secure Relay RA

- open configuration.xml file from \SecureRelayRA\conf\

- check the path of parameter <PasswordFile>, go in that path and rename the file in order to backup it

Ex:

<PasswordFile>C:\axway\271xsr\XsrPwd.dat</PasswordFile>

Rename XsrPwd.dat to XsrPwd.dat_old2021 in C:\axway\271xsr\

- in configuration.xml file, replace the path and the name so it corresponds to the new certificates:

<CACertificate>PATH-to-ROOT-CERT</CACertificate>

<UserCertificate>PATH-to-RA-p12-CERT</UserCertificate>

- encrypt the new password Axway@2021! of SR_Master_2021.p12 certificate in XsrPwd.dat file:

SRencryptPwd.bat C:\Axway\passwordCERT.txt C:\axway\271xsr\XsrPwd.dat

Where:

C:\Axway\passwordCERT.txt contains the password Axway@2021!

C:\axway\271xsr\XsrPwd.dat will be the new file containing the encrypted password.

- in configuration.xml file, replace the path to the new XsrPwd.dat file:

<PasswordFile>PATH-to-XsrPwd.dat-file</PasswordFile>

- start SecureRelay RA

B) Gateway side:

- change the certificates used in SecureRelay RA configuration:

from GUI:

Navigator -> Configure -> Connectivity –> Secure Relay -> Master Agent -> Certificate file (p12) + CA Certificate file (root)

from CONSOLE (in commands use the path to correspond to your environment):

stop Gateway

peluconf standalone set -s xsr ca_cert_file C:\axway\gtw6173\Gateway\run_time\xsr\SR_CA_2021.crt

peluconf standalone set -s xsr master_cert_file C:\axway\gtw6173\Gateway\run_time\xsr\SecureRelayMasterAgent.p12

- check the current location of salt, dk and xsrpwd files:

peluconf standalone get -s xsr | findstr master_cert_password_dkfile

peluconf standalone get -s xsr | findstr master_cert_password_saltfile

peluconf standalone get -s xsr | findstr master_cert_password_datafile

Locate all 3 files and rename them (ex. xsrdkfile.dat to xsrdkfile.dat_old2021).

- use the "pelencpass encrypt_pass" command to generate the 3 new files to encrypt SR_Master_2021.p12’s password:

pelencpass encrypt_pass -encis random -encpwd Axway@2021! -saltf %p_xsr_dir%/xsrsaltfile.dat -dkf %p_xsr_dir%/xsrdkfile.dat -encf %p_xsr_dir%/xsrpwd.dat

- check if the names and path of these 3 new .dat files corresponds to what exists in GTW configuration:

peluconf standalone get -s xsr | findstr master_cert_password_dkfile

peluconf standalone get -s xsr | findstr master_cert_password_saltfile

peluconf standalone get -s xsr | findstr master_cert_password_datafile

- if the path and/or names are different, update Gateway’s configuration:

peluconf standalone set -s xsr master_cert_password_dkfile %p_xsr_dir%/xsrdkfile.dat

peluconf standalone set -s xsr master_cert_password_saltfile %p_xsr_dir%/xsrsaltfile.dat

peluconf standalone set -s xsr master_cert_password_datafile %p_xsr_dir%/xsrpwd.dat

- rebuild the configuration and start Gateway:

peluconf standalone rebuild -f

gatestart