search cancel

Expiring SP certificate on IDP Federation Partnership renewal

book

Article ID: 102461

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

A Service Provider (SP) certificate has been configured for verification on the Identity Provider (IDP) Partnership which is about to expire.

How can be renewed the certificate on the Identity Provider (IDP)?

 

Resolution

 

  1. Turn on CDS log (1), for AdminUI and for the Policy Server, so in case you need to troubleshoot, some clues will be available to explain what may have gone wrong. 
  2. Import the renewed cert using Adminui with some dummy name - currentcertrenewed 
  3. Rename the current cert which is going to expire to some new name (2)

    ./smkeytool.sh -renameAlias -alias currentcert -newalias currentcertexpired

  4. Flush Policy Server Cache ALL
  5. Rename the renewed cert (currentcertrenewed) to the current cert name

    ./smkeytool.sh -renameAlias -alias currentcertrenewed -newalias currentcert

  6. Flush Policy Server Cache ALL
  7. List the certificates from you CDS using ./smkeytool.sh to make sure all the needed certificates are present.

Note:

Flush All usually works well and reloads certificate information but in case if some failed federation are seen due to certificate errors, advise is to restart the Policy Server to avoid any confusion with cached certificates.

 

Additional Information

 

(1)

    Certificate Data Store (CDS) Logging
 

(2)

    smkeytool