KB Article #181859
Replace the old sample certificates in Gateway and SecureRelay RA
Problem
How to replace in Gateway and XSR RA the old sample certificates which expire on November 4th 2021
Old sample certificates:
SecureRelayCA.pem
SecureRelayMasterAgent.p12
SecureRelayRouterAgent.p12
p12 files' password: test
Resolution
* Fore more details about how to create your own certificates check this KB: https://support.axway.com/kb/181213/language/en
** If the newly created certificates have the SAME NAME and the SAME PASSWORD AS THE SAMPLE CERTIFICATES, consult this KB: https://support.axway.com/kb/181857/language/en
Steps to change the certificates in SecureRelay RA and Gateway
Example with new certificates:
SR_CA_2021.crt (contains the ROOT certificate)
SR_Router_2021.p12 (contains the USER certificate of RA + its associated private key)
SR_Master_2021.p12 (contains the USER certificate of MA + its associated private key)
p12 files' password: Axway@2021!
A) Router Agent side:
- open a console or cmd, go to \SecureRelay\bin\ directory
- launch the profile: profile.bat or profile.sh (win or unix)
- stop Secure Relay RA
- open configuration.xml file from \SecureRelayRA\conf\
- check the path of parameter <PasswordFile>, go in that path and rename the file in order to backup it
Ex:
<PasswordFile>C:\axway\271xsr\XsrPwd.dat</PasswordFile>
Rename XsrPwd.dat to XsrPwd.dat_old2021 in C:\axway\271xsr\
- in configuration.xml file, replace the path and the name so it corresponds to the new certificates:
<CACertificate>PATH-to-ROOT-CERT</CACertificate>
<UserCertificate>PATH-to-RA-p12-CERT</UserCertificate>
- encrypt the new password Axway@2021! of SR_Master_2021.p12 certificate in XsrPwd.dat file:
SRencryptPwd.bat C:\Axway\passwordCERT.txt C:\axway\271xsr\XsrPwd.dat
Where:
C:\Axway\passwordCERT.txt contains the password Axway@2021!
C:\axway\271xsr\XsrPwd.dat will be the new file containing the encrypted password.
- in configuration.xml file, replace the path to the new XsrPwd.dat file:
<PasswordFile>PATH-to-XsrPwd.dat-file</PasswordFile>
- start SecureRelay RA
B) Gateway side:
- change the certificates used in SecureRelay RA configuration:
from GUI:
Navigator -> Configure -> Connectivity –> Secure Relay -> Master Agent -> Certificate file (p12) + CA Certificate file (root)
from CONSOLE (in commands use the path to correspond to your environment):
stop Gateway
peluconf standalone set -s xsr ca_cert_file C:\axway\gtw6173\Gateway\run_time\xsr\SR_CA_2021.crt
peluconf standalone set -s xsr master_cert_file C:\axway\gtw6173\Gateway\run_time\xsr\SecureRelayMasterAgent.p12
- check the current location of salt, dk and xsrpwd files:
peluconf standalone get -s xsr | findstr master_cert_password_dkfile
peluconf standalone get -s xsr | findstr master_cert_password_saltfile
peluconf standalone get -s xsr | findstr master_cert_password_datafile
Locate all 3 files and rename them (ex. xsrdkfile.dat to xsrdkfile.dat_old2021).
- use the "pelencpass encrypt_pass" command to generate the 3 new files to encrypt SR_Master_2021.p12’s password:
pelencpass encrypt_pass -encis random -encpwd Axway@2021! -saltf %p_xsr_dir%/xsrsaltfile.dat -dkf %p_xsr_dir%/xsrdkfile.dat -encf %p_xsr_dir%/xsrpwd.dat
- check if the names and path of these 3 new .dat files corresponds to what exists in GTW configuration:
peluconf standalone get -s xsr | findstr master_cert_password_dkfile
peluconf standalone get -s xsr | findstr master_cert_password_saltfile
peluconf standalone get -s xsr | findstr master_cert_password_datafile
- if the path and/or names are different, update Gateway’s configuration:
peluconf standalone set -s xsr master_cert_password_dkfile %p_xsr_dir%/xsrdkfile.dat
peluconf standalone set -s xsr master_cert_password_saltfile %p_xsr_dir%/xsrsaltfile.dat
peluconf standalone set -s xsr master_cert_password_datafile %p_xsr_dir%/xsrpwd.dat
- rebuild the configuration and start Gateway:
peluconf standalone rebuild -f
gatestart