search cancel

Policy Store certificate change in the Policy Server configuration

book

Article ID: 244107

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running the Policy Server, the Policy Store changed its certificate as it was outdated. How to change the certificate in the Policy Server configuration?

 

Environment

 

Policy Server 12.8SP6a on RedHat 7;

 

Resolution

 

To add the new certificate in the cert8.db database, the database should be upgraded to cert9.db before as per documentation (1)(2).

Then once upgraded, get the new certificate from the Policy Store, and insert it in the cert9.db.

  1. Take a backup of the folder:
    /opt/CA/siteminder/myCertDB/
  2. Follow the documentation steps to upgrade cert8.db to cert9.db (2).
    Note that the command will fail if the -upgrade-prefix option is used (3).
  3. Get the mypolicystore.mydomain.com:636 certificate:
      
    On the Policy Server, run the following command:

    # openssl s_client -connect mypolicystore.mydomain.com:636

    In the output, get the lines from 

     -----BEGIN CERTIFICATE-----

     

      to

      -----END CERTIFICATE-----

      included, and paste that to a file called

        /opt/CA/siteminder/newcert.crt

      on the Policy Server machine.
  4. Get the alias of the old certificate:
      # certutil -L -d /opt/CA/siteminder/myNewCertDB

      and note down the alias name;
  5. Delete the old certificate from its alias:
      # certutil -D -n alias -d /opt/CA/siteminder/myNewCertDB
  6. Add the new certificate with the same alias as above:
      # certutil -A -n alias -t P -i /opt/CA/siteminder/newcert.crt -d /opt/CA/siteminder/myNewCertDB

Note:

To create the right certificate database, use the certutil command that comes with the Policy Server, which is in the bin repository:

  [ps.training.com] root :: 13:40:25 : /opt/CA/siteminder $ mkdir new
  [ps.training.com] root :: 13:40:38 : /opt/CA/siteminder $ ./bin/certutil -N -d new
  Enter a password which will be used to encrypt your keys.
  The password should be at least 8 characters long,
  and should contain at least one non-alphabetic character.

  Enter new password:
  Re-enter password:
  Passwords do not match. Try again.
  Enter new password:
  Re-enter password:
  [ps.training.com] root :: 13:41:09 : /opt/CA/siteminder $ ls new/
  cert9.db  key4.db  pkcs11.txt

  [ps.training.com] root :: 13:41:10 : /opt/CA/siteminder $ Version
  [Version -  Version 12.8.0600.2649]

 

Additional Information

 

(1)

    Specify a Netscape Certificate Database File

      Up to Release 12.8.05: cert8.db and key3.db files
      From Release 12.8.06: cert9.db and key4.db files

    

(2)
  
    Requirements for Existing LDAP User Directory Connections Over SSL

      (From Release 12.8.06) To migrate the certificate database file from cert8.db to cert9.db

      After an upgrade to Release 12.8.06, the existing cert8.db and
      key3.db files continue to work in the upgraded environment. However,
      to add new certificates in the cert8.db and key3.db files, the files
      must be first migrated to the cert9.db and key4.db files format that
      is supported from Release 12.8.06.

    

(3)

    certutil --upgrade-merge command not working