PAM SAML Certificate Updates

book

Article ID: 192217

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM is configured with SAML Authentication to Single Sign-On.
Now the certificate will be expiring.
What are the steps to update the certificates?

Environment

Release : 3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

There are 2 certificates that may expired.
1. IDP side Certificate
2. SP(PAM) side certificate

(Certificates used for HTTPS is not covered in this topic)

Firstly, PAM side certificate setting is here.

Once you have imported(or generated in PAM) a keypair, it would appear in this dropdown menu.
Select the new keypair certificate and click "Save Configuration".

IDP Side Certificate is at the "Configured Remote SAML IdP" tab.
Select the respective IdP and click "UPDATE" button.




And following are the steps to update them.
1. Login as 'super'
2. Import(or Generate New in PAM) a new keypair to PAM and import the same to other PAM nodes with Exact Same Filename.

!! You will need to export this new keypair (Download the newpamkey.crt and newpamkey.key in this example) and merge it to a single file and import it to all other PAM nodes with EXACT SAME FILENAME!!!





3. At the "Configuration --> Security --> SAML --> SP Configuration --> Configuration --> Certificate Key Pair", select the new keypair from dropdown menu and click "SAVE CONFIGURATION"
4. Navigate to "Configured Remote SAML IdP" tab and select the respective IdP.
5. Click on "DOWNLOAD METADATA" and save the xml file.
6. Provide this xml file to the IdP side person so they can import it to their federation application.
7. IdP side person will also provide an XML file (aka Metadata) which contains the updated certificate.
8. Upload the metadata xml file received from IdP to PAM.


Once this is done you can click on the "TEST" button to see if the federation still works with the new certificate.
!! You must TEST on all PAM nodes to ensure all nodes are able to login using SAML !!



Note:
Preparation 
* You will need to have the PAM side new keypair ready before contacting IdP for this activity.
* If IdP side uses a CA signed certificate, that certificate chain need to be imported in to PAM as well. This should be done before performing the metadata exchange.

Planning to avoid outage
* It would be good to plan ahead so this activity does not take place just before the certificate expiry.
* If the PAM Users can be changed to LDAP Authentication, that will need to be communicated to users so they will use LDAP Authentication if that is possible. In case if SAML Certificate update does not go well, ensure users are still able to login. Test this LDAP Authentication or whichever authentication that can be used in place of SAML Authentication.

In case if IdP side encounter issues that may prolong the down time.

If you have concerns planning and performing these activities, it is recommended to reach out to Broadcom Services Team (via your Broadcom Account Manager) and plan ahead.

Attachments