Problem

Sample certificates for SecureRelay will expire starting with 2021, November 4th

Prequisites

• Check if Secure Relay is enabled - uconf parameter - secure_relay.enable

• Verify certificates expiration date (example openssl command)

openssl x509 -in SecureRelayCA.pem -noout -text

openssl pkcs12 -in SecureRelayMasterAgent.p12 -nokeys -passin pass:"test" | openssl x509 -noout -enddate

openssl pkcs12 -in SecureRelayRouterAgent.p12 -nokeys -passin pass:"test" | openssl x509 -noout -enddate

• Generate new certificates

https://support.axway.com/kb/181213/language/en

Resolution

NOTE: All products must be stopped before the manipulation and restart after.

Under CFT - Secure Relay MA

1. Check the location and name of the previous certificates and encryption file

Uconf parameters :

secure_relay.ma.ca_cert_fname

secure_relay.ma.cert_fname

secure_relay.ma.cert_password_fname

1.1 Interface

- Copilot Java

or

- CFT UI (RESTAPI)

General Configuration - Unified configuration

1.2 Command line

cftutil listuconf id=secure_relay.ma.ca_cert_fname

cftutil listuconf id=secure_relay.ma.cert_fname

cftutil listuconf id=secure_relay.ma.cert_password_fname

2. Replace certificates

2.1 Certificate Name

Based on the location identified at step 1 :

2.1.1 Keep the same names

- Rename SecureRelayCA.pem by SecureRelayCA.pem.bak

- Rename SecureRelayMasterAgent.p12 by SecureRelayMasterAgent.p12.bak

- Paste the new certificates (in the same path)

2.1.2 New names

- Paste the certificates (same path or different)

- Update uconf parameters (path and filename)

2.2 Private key / P12 certificate Password

2.2.1 Keep the same password (“test” in lowercase)

No other action needed

2.2.2 New password

https://support.axway.com/en/articles/article-details/id/181631/do/search

Check secure_relay.ma.cert_password_fname parameter

It (typically it's called XsrPwd.dat) needs to be deleted or renamed before CFT is started.

Under Secure Relay RA / XSR

1. Check the location and name of the previous certificates and encryption files

Go to <SecureRelayRAInstallationDirectory>/conf/configuration.xml

<CACertificate>CA_for_RA.der</CACertificate>

<UserCertificate>USER_for_RA.p12</UserCertificate>

<PasswordFile>(default)XsrPwd.dat</PasswordFile>

2. Replace certificates

2.1 Certificate Name

Based on the location identified at step 1 :

2.1.1 Keep the same names

- Rename SecureRelayCA.pem by SecureRelayCA.pem.bak

- Rename SecureRelayRouterAgent.p12 by SecureRelayRouterAgent.p12.bak

- Paste the new certificates (in the same path)

2.1.2 New names

- Paste the certificates (same path or different)

- Update configuration parameters (path and filename)

2.2 Private key / P12 certificate Password

2.2.1 Keep the same password (“test” in lowercase)

No other action needed

2.2.2 New password

Regenerate Password file following the below procedure:

- write new password into a text file (exemple pwd.txt)

- rename existing XsrPwd.dat by XsrPwd.dat.bak

- from <SecureRelayRAInstallationDirectory>/bin/SRencryptPwd pwd.txt XsrPwd.dat

- copy the new XsrPwd.dat under the path identified for <PasswordFile> (configuration.xml)