When running the Policy Server, the Policy Store changed its certificate as it was outdated. How to change the certificate in the Policy Server configuration?
Policy Server 12.8SP6a on RedHat 7;
To add the new certificate in the cert8.db database, the database should be upgraded to cert9.db before as per documentation (1)(2).
Then once upgraded, get the new certificate from the Policy Store, and insert it in the cert9.db.
<installation_directory>/siteminder/myCertDB/
Note that the command will fail if the -upgrade-prefix option is used (3).
On the Policy Server, run the following command:
# openssl s_client -connect mypolicystore.mydomain.com:636
In the output, get the lines from
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
included, and paste that to a file called
<installation_directory>/siteminder/newcert.crt
on the Policy Server machine.
# certutil -L -d <installation_directory>/siteminder/myNewCertDB
and note down the alias name;
# certutil -D -n alias -d <installation_directory>/siteminder/myNewCertDB
# certutil -A -n alias -t P -i <installation_directory>/siteminder/newcert.crt -d <installation_directory>/siteminder/myNewCertDB
Note:
To create the right certificate database, use the certutil command that comes with the Policy Server, which is in the bin repository:
[ps.training.com] root :: 13:40:25 : <installation_directory>/siteminder $ mkdir new
[ps.training.com] root :: 13:40:38 : <installation_directory>/siteminder $ ./bin/certutil -N -d new
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Passwords do not match. Try again.
Enter new password:
Re-enter password:
[ps.training.com] root :: 13:41:09 : <installation_directory>/siteminder $ ls new/
cert9.db key4.db pkcs11.txt
[ps.training.com] root :: 13:41:10 : <installation_directory>/siteminder $ Version
[Version - Version 12.8.0600.2649]
(1)
Specify a Netscape Certificate Database File
Up to Release 12.8.05: cert8.db and key3.db files
From Release 12.8.06: cert9.db and key4.db files
(2)
Requirements for Existing LDAP User Directory Connections Over SSL
(From Release 12.8.06) To migrate the certificate database file from cert8.db to cert9.db
After an upgrade to Release 12.8.06, the existing cert8.db and
key3.db files continue to work in the upgraded environment. However,
to add new certificates in the cert8.db and key3.db files, the files
must be first migrated to the cert9.db and key4.db files format that
is supported from Release 12.8.06.
(3)