How to Change the Siteminder AdminUI SSL Certificate in r12.7.x
search cancel

How to Change the Siteminder AdminUI SSL Certificate in r12.7.x

book

Article ID: 20369

calendar_today

Updated On:

Products

CA Single Sign-On

Issue/Introduction

After the installation of the Siteminder AdminUI, when you first attempt to connect to the AdminUI, the web browser returns the error "Certificate is Invalid"/"Certificate Invalid".

The AdminUI URL may also get flagged in a security report.

 

 

 

 

Environment

Release: r12.8.7
Component: Siteminder AdminUI

Cause

This occurs when you attempt to connect to the Siteminder AdminUI using HTTPS.  The installation adds a self-signed SSL certificate to be used with HTTPS connections to the AdminUI.  The error is indicating that, as a self-signed certificate, there is not Root CA to certify the cert.

Resolution

Add your own certificate chain to the AdminUI and use that instead of a self-signed certificate.

Siteminder is using Jboss Wildfly as the application server.  JBOSS Wildfly is using a Java key store. You can check its definition by running the following:

Admiui_installation_location>\adminui\bin\run.conf.bat

Default:

set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=%JBOSS_HOME%\server\default\conf\keyStore.jks"

set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStoreType=jks"

set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit"

If you create another keystore or changed the password you have to edit this file (please take a backup before modifying the file)

1) You need to use the keytool utiliy to add the certificate to the keystore.  To make sure that you also import the private key, you had to import this as PKCS12 format

keytool -v -importkeystore -srckeystore MyStore.p12 -srcstoretype PKCS12 -destkeystore MyStore.jks -deststoretype JKS

2) Make sure that the private key has the same password as the keystore

keytool -keypasswd -alias MyStore -keypass oldpass -new newpass -keystore MyKeyStore.jks

3) Modify server.xml file. 

<SMAdminUI_Installation_location>\adminui\server\default\deploy\jbossweb.sar\server.xml

3) Backup the existing 'server.xml' file.

4) Change the entry of keyAlias="tomcat" in Connector(https) element to

keyAlias="Alias you created"

5) Change the keystorePass if you changes password of the keyStore.

6) Save the file

7) Restart SiteMinder AdminUI Service

8) Access AdminUI using a web browser

 

Additional Information

You can find a reference of the keytool at the following location :

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Powered by Wolken Software