This document provides information on renewing and importing updated certificates into Identity Manager.
All the certificates have a default lifetime period, after which certificates expire. Once the certificate expires, the applications’ becomes inaccessible. You can either extend the existing certificate’s validity or renew the certificate to restore access to application.
The following sections describe how to renew an expired certificate.
When the Identity Manager components are installed on different servers, follow the below steps to renew expired certificates:
To renew the expired certificate entry for Identity Applications in the IDM keystore (idm.jks), perform the following steps:
On the server where Identity Applications is installed, navigate to the /opt/netiq/idm/apps/tomcat/conf/ directory.
Take a backup of the idm.jks file.
Delete the expired SSL Certificate DNS.
Log in to iManager.
Navigate to Roles and Tasks > NetIQ Certificate Access > Server Certificates.
Select the SSL CertificateDNS check box and click Delete.
Log in to the server where Identity Vault is installed and run the below command:
ndsconfig add -m SAS
NOTE:This command creates new SSL Certificate DNS. It will also create a certificate entry in the cacerts of Identity Manager Engine.
Restart eDirectory.
On the server where Identity Applications is installed, perform the following steps to update the trustedCertEntry (server certificate) entry in the idm.jks keystore.
Navigate to the /opt/netiq/idm/apps/configupdate directory.
Launch the configuration update utility by running the following command and click OK.
./configupdate.sh
This updates the idm.jks with the new SSL Certificate DNS.
Restart the Tomcat service.
On the server where SSPR is installed, perform the following steps:
Navigate to the /opt/netiq/idm/apps/sspr/sspr_data/ directory.
Set the configIsEditable value to true in SSPRConfiguration.xml file.
Save the file.
To import the Identity Vault root certificate into SSPR, perform the following steps:
Log in to the SSPR portal in private mode.
https://<server-dns>:<port>/sspr/private/login?sso=false
Select the Configuration Editor.
Specify the configuration password and click Sign In.
Navigate to LDAP > LDAP Directories > Default > Connection.
Clear the LDAP Certificates and click Import From Server, and then click Save.
Log in to the Identity Manager Dashboard.
To renew the expired certificates in Identity Applications Tomcat keystore (tomcat.ks), perform the following steps:
Stop the Tomcat service.
Navigate to the /opt/netiq/idm/apps/tomcat/conf/ directory.
Take a backup of the tomcat.ks file.
Delete the existing tomcat.ks file.
Create a new tomcat.ks (Identity Application Tomcat keystore) file.
keytool -genkey -alias <alias_name> -storetype PKCS12 -keyalg RSA -keystore tomcat.ks -validity <no_of_days> -keysize <key_size> -dname "CN=<fqdn>" -keypass <password> -storepass <password>
For example,
keytool -genkey -alias userapp -storetype PKCS12 -keyalg RSA -keystore tomcat.ks -validity 2555 -keysize 1024 -dname "CN=rhel8-3388.novell.com" -keypass novell -storepass novell
Ensure that the trustedcert (server certificate) entry is present in the Identity Applications Tomcat keystore.
keytool -import -trustcacerts -alias <alias_of_trustedcert_root> -keystore tomcat.ks -file <root-certificate-file> -storepass <password> -noprompt
For example,
keytool -import -trustcacerts -alias root -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -file /opt/certs/cert.der -storepass novell -noprompt
Import the new user certificate to the Identity Applications Tomcat keystore.
Start the Tomcat service.
NOTE:You must have a certificate with CN as Identity Applications in the keystore (idm.jks) of the Identity Applications server. As part of enhanced Java security, now Identity Applications requires trusted certificate to communicate with OSP.
/opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks
To renew the certificates in the OSP keystore (osp.jks), perform the following steps:
Stop the Tomcat service.
Navigate to the /opt/netiq/idm/apps/osp/ directory.
Take a backup of the osp.jks file.
Delete the existing osp alias in osp.jks.
keytool -delete -noprompt -alias <alias_name> -keystore <osp.jks> -storepass <password>
For example,
keytool -delete -noprompt -alias osp -keystore /opt/netiq/idm/apps/osp/osp.jks -storepass novell
Run the below command to extend the validity of osp.jks
keytool -genkey -keyalg RSA -keysize <key_size> -keystore /opt/netiq/idm/apps/osp/osp.jks -storepass <password> -keypass <password> -alias osp -validity <no_of_days> -dname "<fqdn>"
For example,
keytool -genkey -keyalg RSA -keysize 2048 -keystore /opt/netiq/idm/apps/osp/osp.jks -storepass novell -keypass novell -alias osp -validity 1460 -dname "CN=rhel8-3387.novell.com"
Start the Tomcat service.
NOTE:If you see any errors while accessing the SSPR page, perform the following steps:
Log in to the SSPR portal.
https://<IP address>:<port>/sspr
On the upper-right corner, click on the logged-in user and then click Configuration Editor.
Specify the configuration password and click Sign In.
Navigate to Settings > Single Sign On (SSO) Client > OAuth.
Clear and import the OAuth Server Certificate.
Click the Save icon at the upper-right corner to save the certificate.
When the Identity Manager components are installed on a single server, follow the below steps to renew expired certificates:
To renew the expired certificates for IDM keystore, perform the following steps:
Take a backup of idm.jks file.
Log in to iManager and delete the expired SSL Certificate DNS.
Log in to iManager.
Navigate to Roles and Tasks > NetIQ Certificate Access > Server Certificates.
Select the SSL CertificateDNS check box and click Delete.
Run the below command:
ndsconfig add -m SAS
NOTE:This command creates new SSL Certificate DNS. It will also create a certificate entry in the cacerts of Identity Manager Engine.
Restart the Identity Vault instance.
ndsmanage stopall
ndsmanage startall
Launch the configupdate.sh and click OK.
Navigate to the /opt/netiq/idm/apps/sspr/sspr_data/ directory, set the configIsEditable value to true in SSPRConfiguration.xml file, and then save the file.
To import the certificates into SSPR, perform the following steps:
Log in to the SSPR portal in private mode.
https://<server-dns>:<port>/sspr/private/login?sso=false
Select the Configuration Editor.
Specify the configuration password and click Sign In.
Navigate to LDAP > LDAP Directories > Default > Connection.
Clear the LDAP Certificates and click Import From Server, and then click Save.
NOTE:SSL Certificate DNS change mandates to update the tomcat.ks with new server certificate. If eDirectory is the certificate issuing authority, you should also change user certificates.
To renew the expired certificates for Tomcat keystore, perform the following steps:
Stop the Tomcat service.
Navigate to the /opt/netiq/idm/apps/tomcat/conf/ directory.
Take a backup of the tomcat.ks file.
Delete the existing tomcat.ks file.
Create a new tomcat.ks (Identity Application Tomcat keystore) file.
keytool -genkey -alias <alias_name> -storetype PKCS12 -keyalg RSA -keystore tomcat.ks -validity <no_of_days> -keysize <key_size> -dname "CN=<fqdn>" -keypass <password> -storepass <password>
For example,
keytool -genkey -alias userapp -storetype PKCS12 -keyalg RSA -keystore tomcat.ks -validity 2555 -keysize 1024 -dname "CN=rhel8-3388.novell.com" -keypass novell -storepass novell
Ensure that the trustedcert (server certificate) entry is present in the Identity Applications Tomcat keystore.
keytool -import -trustcacerts -alias <alias_of_trustedcert_root> -keystore tomcat.ks -file <root-certificate-file> -storepass <password> -noprompt
For example,
keytool -import -trustcacerts -alias root -keystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -file /opt/certs/cert.der -storepass novell -noprompt
Import the new user certificate to the Identity Applications Tomcat keystore.
Restart the Tomcat service.
Use the command to import the new generated keystore(s) from tomcat.ks to idm.jks
/opt/netiq/common/jre/bin/keytool -importkeystore -srckeystore /opt/netiq/idm/apps/tomcat/conf/tomcat.ks -destkeystore /opt/netiq/idm/apps/tomcat/conf/idm.jks
To import the OAuth certificate into SSPR, perform the following steps.
Log in to SSPR portal.
Select the Configuration Editor.
Navigate to Settings > Single Sign On (SSO) Client > OAuth.
Clear the OAuth Server Certificate and Import from the Server, and then click Save.
Restart the Tomcat service.
To renew the expired certificate for OSP keystore, perform the following steps:
This sections explains the steps to renew the OSP keystore (osp.jks). For more information, see section Renewing Certificates for OSP Keystore of this document.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.
Copyright © 2020 NetIQ Corporation, a Micro Focus company. All Rights Reserved.