What are the steps to replace a CCI Certificate that has expired OM Web Viewer 12.1
search cancel

What are the steps to replace a CCI Certificate that has expired OM Web Viewer 12.1

book

Article ID: 236183

calendar_today

Updated On:

Products

Output Management Web Viewer

Issue/Introduction

The certificate has expired and the new one is not valid yet. How to replace the expired certificate. What are the steps?

Environment

  • Output Management Web Viewer 12.1
  • Windows Server
  • Apache Tomcat

Cause

CCI uses the same password for the Cert as it does for the keystore and the current passwords for the two entities were disparate.

Resolution

Configure CCI Keystore from Scratch (must do this if changing certificate password):

  1. Mainframe Admin will update the cert on the mainframe side and will generate a certName.pfx cert file
  2. Connect to app server
  3. Upload the certName.pfx file to the server, change the extenstion to certName.p12 & copy it to c:\keystore
  4. If cci.keystore exists at c:\keystore, delete it
  5. Run CMD as Administrator
  6. Execute command 'keytool -v -importkeystore -srckeystore c:\keystore\certName.p12 -srcstoretype PKCS12 -destkeystore c:\keystore\cci.jks -deststoretype JKS'
  7. CMD will ask you to set the password for the new cci.keystore, use the same password that is used for the certificate (these passwords must match)
  8. Rename the cert alias with command 'keytool -changealias -alias "certName" -destalias "cci" -keystore c:/keystore/cci.jks'
  9. Execute command 'cd "c:\Program Files\CA\CA_OM_Web_Viewer\util"'
  10. Execute command 'configtool.bat'
  11. Select '1' for System Level External Configuration
  12. Select '1' for CCI Settings
  13. Enter '*CCI Server IP*' to set the CCI Server
  14. Enter '*CCI Server Port*' to set the CCI Port
  15. Enter a unique Client System ID
  16. Enter '3' to Force SSL connection with host
  17. Enter '1' to Secure end-to-end connection
  18. Enter '4' to select TLSv1.2
  19. Enter '1' to Use New Keystore
  20. Enter 'c:\keystore' for relative search path to keystore
  21. Enter 'cci.jks ' for keystore file
  22. Enter the certificate/keystore password for the keystore password (these must be the same)
  23. Enter 'cci' for the cert alias
  24. Enter '1' to test connection and save
  25. Restart 'Apache Tomcat'

Update CCI Cert (certificate password must match the keystore password):

  1. Mainframe Admin will update the cert on the mainframe side and will generate a certName.pfx cert file (password must be the same as the keystore password)
  2. Connect to app server
  3. Upload the certName.pfx file to the server, change the extenstion to .p12 & copy it to c:\keystore
  4. Run CMD as Administrator
  5. Execute the following command 'keytool -v -importkeystore -srckeystore c:\keystore\certName.p12 -srcstoretype PKCS12 -destkeystore c:\keystore\cci.jks -deststoretype JKS'
  6. Rename the cert alias with command 'keytool -changealias -alias "certName" -destalias "cci" -keystore c:/keystore/cci.jks'
  7. Restart 'Apache Tomcat'

Other useful KeyTool commands:

  • View contents of keystore - 'keytool -list -v -keystore c:/keystore/cci.jks'
  • Delete certificate from keystore via alias - keytool keytool -delete -noprompt -alias "cci"  -keystore c:/keystore/cci.jks
  • Change keystore password - 'keytool -storepasswd -keystore c:\keystore\cci.jks'

Additional Information

 Once the password was the same and Tomcat recycled, application functionality was restored.  

Powered by Wolken Software