SSL Certificate Expired and causes an error while trying to connect to the SSIM

book

Article ID: 155854

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Unable to login into the SSIM Web UI or SSIM client manager due to the default SSL certificate expiration.

See screenshot below,

Cause

The default SSL Certificate has expired and ldap starting in configuration mode, see screenshot below,

Resolution

A new SSL Certificate must be created and set as Default, then LDAP must be set to use the new SSL Certificate.

To create the new default SSL certificate and set it as default

  1. Connect to and login to the SSIM via an SSH client such as Putty or at the console.
  2. Switch users to root and obtain roots environment witht he command su - and enter the password when prompted.
  3. Confirm whether the hostname is the shortname or FQDN with the command hostname
  4. Stop all services by navigating to the /opt/Symantec/simserver/bin directory and run the command ./stopservices.sh --all
  5. Run the below command for your version of SSIM, making sure to replace <hostname> with the results from the command in step 3.

    SSIM 4.5
    gsk7cmd –cert –create –db /etc/symantec/ses/key.kdb –pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl /etc/symantec/ses/key.sth` -label SESA1 –dn cn=<hostname> -size 1024 –default_cert yes –expire 7300

    SSIM 4.6 and 4.7
    gsk7cmd.ssim –cert –create –db /etc/symantec/ses/key.kdb –pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl /etc/symantec/ses/key.sth` -label SESA1 –dn cn=<hostname> -size 1024 –default_cert yes –expire 7300

Note: In the gsk7cmd the ticks around the `/opt/Symantec/simserver/bin/get_stash_pwd.pl /etc/symantec/ses/key.sth` are from the key above Tab and left of the number 1.  These are not single quotes.

Modify the ibmslapd.conf file so that LDAP uses the new default SSL Certificate

  1. Edit the ibmslapd.conf file with the command vi /dbsesa/ldapdb2/idsslapd-ldapdb2/etc/ibmslapd.conf
  2. Jump to the line to be edited by typing /ibm-slapdSslCertificate and press Enter.
  3. Press I to enter Insert mode.
  4. Use the arrow keys on the keyboard to move the cursor and change the entry to say SESA1
  5. Press Esc to exit Insert mode.
  6. Press :wq to save your changes and exit vi.
  7. Start all services by navigating to the /opt/Symantec/simserver/bin directory and run the command ./startservices.sh --all

 If you want to confirm the default SSL certificate is the one you created, use the command below

gsk7capicmd -cert -getdefault -db /etc/symantec/ses/key.kdb –pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl /etc/symantec/ses/key.sth`


Attachments