The Fan-Out driver uses SSL X.509 certificates to maintain secure connectivity between platforms and core drivers. These certificates are located in the file system, under the following paths for the Core Driver and Platform Services, respectively:
/usr/local/ASAM/data/CoreDriver/certs/ /usr/local/ASAM/data/PlatformServices/certs/
For Core Drivers, there are five files:
ca_cert.pem—This is the public certificate file for the Fan-Out "Root CA"
ca_key.pem—This is the private key file for the Fan-Out “Root CA”
ca.pem—This is the public certificate for the local Fan-Out Core Driver
key.pem—This is the private key file for the local Fan-Out Core Driver
ca.pem—This is also the public certificate file for the Fan-Out "Root CA"
For Platform Services, there are three files:
cert.pem—This is the public certificate file for this platform.
key.pem—This is the private key file for this platform.
ca.pem—This is the public certificate file for the Fan-Out "Root CA"
Each certificate can be viewed in plaintext, using the OpenSSL command:
openssl x509 -in <path to certificate.pem> -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1002 (0x3ea)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Novell Account Management 3.1 Certificate Authority
Validity
Not Before: Sep 30 15:30:42 2020 GMT
Not After : Oct 1 15:30:42 2021 GMT
Subject: CN=localhost, OU=localhost, OU=platform sets,
OU=event driven objects, OU=asam system, O=system
. . .
The contents contain important fields, such as the Subject Name, DNS Alternate Subject Names, Serial Number, Before and After Dates, and Issuer. A combination of these fields are used to verify access during communication.
Alternatively, you can find the Certificate Expirations for everything in the Fan-Out Driver iManager Plug-In:
Click on Fan-Out Driver Utilities.
Click on Component Status.
From here, you will find the certificate expiration date for the Root CA.
Click on Core Drivers to list the certificate expiration dates for all core drivers; or click on Platforms to view the certificate expiration dates for all platforms.
Certificates are created for Core Drivers during Core Driver startup, and for Platforms during the Platform Services installation and secure task. During this process, the Core Driver uses two attributes on the cn=Certificate Services,ou=Manager Services,ou=ASAM System object:
<definition display-name="Verify serial number of incoming platform connection: "
id="111"
name="verifySerialNumber"
type="boolean">
<description>During the SSL handshake between the driver and the connecting platform, the serial number can be verified against the last serial number generated by the core driver. Enter a value of "true" if you wish to verify this serial number upon connecting.</description>
<value>false</value>
</definition>
The definition above configures whether this Core Driver should validate Platform serial numbers when attempting to establish a connection.
When a Platform Services is installed, a platform certificate is issued and an expiration date is stamped on the certificate “Not Before” field. The duration of this certificate depends upon the Certificate Services attribute “ASAM-certDelayExpireTime” value. This is global for all platforms and core drivers. This process is done using the following command-line run option:
/usr/local/ASAM/bin/PlatformServices/PlatformReceiver/asamrcvr -s
This command may be run at any time to obtain a new certificate. However, it does expect you to authenticate to the Core Driver in order to do so. Often, it’s useful to use the previous certificate as an authentication method in order to obtain a new one for automation purposes. When a certificate is approaching expiration, a message may be displayed and logged to the system syslog to indicate:
CRT012A Platform Certificate will expire on 20211001153042Z
You can renew the platform certificate by running the following command:
/usr/local/ASAM/bin/PlatformServices/PlatformReceiver/asamrcvr -t
NOTE:If your platform also requires a new Certificate Authority, you must first remove ca.pem on your platform OS and use the -s command-line option.
After obtaining the new certificates, simply re-start any services that are using it, such as asampsp or asamrcvr.
When a Core Driver is installed, a certificate is issued and an expiration date is stamped on the certificate Not Before field during shim startup. The duration of this certificate depends upon the Certificate Services attribute ASAM-certExpirationDelay value. This is global for all platforms and core drivers. When a certificate is approaching expiration, a message may be displayed and logged to the system syslog to indicate:
CRT013A Core Driver Certificate will expire on 20211001153042Z
You can recreate the Core Driver certificates with a couple methods. Changing any of the Core Driver object properties, such as Network Address and restarting the Core Driver will automatically regenerate a new certificate. Alternatively, you may simply delete the /usr/local/ASAM/data/CoreDriver/certs/cert.pem file and restart the Core Driver to allow it to regenerate a new certificate.
The Root CA for the Fan-Out driver is the most important certificate, as it is used to issue and sign all certificate files for Platforms and Core Drivers. This certificate has a duration of 10 years. However, when it is renewed, a few steps must be followed. This procedure preserves the Root CA’s key, which is necessary to keep platform and core driver certificates valid, so do not delete the ca_key.pem:
Remove the following files from all Core Driver servers:
/usr/local/ASAM/data/CoreDriver/certs/ca_cert.pem /usr/local/ASAM/data/CoreDriver/certs/ca.pem
Restart the primary Core Driver server shim to allow it to regenerate a new set of ca_cert.pem and ca.pem files.
Copy the ca_cert.pem and ca.pem to the remaining Core Driver servers and restart those driver shims to load the new Root CA.
Because the ca.pem must be distributed to all platform objects, you must also force Platform Services to renew their certificates via section 6.7.3, or manually copy ca.pem to each platform and restart the Platform Services processes.