We're running a Policy Server and after having set the new PartnerShip
certificate as "Secondary Verification Certificate Alias", then when
our Partner side stopped to use the old certificate on its side, the
Federation Partnership stopped to work on our side and fails.
We didn't deactivate the Partnership beforehand of setting the
Secondary Certificate, as this should be working this way in
Siteminder 12.8 as we understand.
How can we fix that ?
Policy Server 12.8SP3 on RedHat 6
At first glance, when you modify a Partnership, you have to
deactivate first and activate it later once configuration
modification are done as per our Documentation :
Signature and Encryption Configuration for Federated Partnerships
5. (Optional) Select another alias from the certificate data store for
the Secondary Verification Certificate Alias field. If verification
of a signed authentication or logout request fails using the
primary verification certificate alias, the IdP uses this secondary
verification alias. If the certificate is not already in the
certificate data store, click Import to import one. When secondary
certificates are configured or updated for an active partnership,
the run time automatically picks up the changes. You do not need to
flush the cache manually from the UI for the changes to take
effect.
[...]
9. Activate a partnership for all configuration changes to take effect
and for the partnership to become available for use. Restarting the
services is not sufficient.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/partnership-federation/signature-and-encryption-configuration-for-federated-partnerships.html