Symantec Directory Manager: How to generate SCIM client certificate after expiration on Linux
search cancel

Symantec Directory Manager: How to generate SCIM client certificate after expiration on Linux

book

Article ID: 249679

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

The following document explains how to re-generate the Symantect Directory Manager server certificate on Linux:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/troubleshooting-ca-directory/creating-directory-manager-certificates-after-expiration.html#concept.dita_db7516a1-cc62-43ef-91dc-9c91309f6867_DirectoryManagerCACerts

Symantect Directory Manager installation also includes SCIM server.
SCIM client certificate expires at the same time as Directory Manager server certificate, but it is not explained how to re-generate it.

Please note that the above document explains how to generate SCIM client certificate on Windows, only the information for Linux installations is missing.

Resolution

Please follow these steps to re-generate expired SCIM client certificate:

  1. Re-generate Directory Manager server certificate as per this document:
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/troubleshooting-ca-directory/creating-directory-manager-certificates-after-expiration.html#concept.dita_db7516a1-cc62-43ef-91dc-9c91309f6867_CA_Linux
  2. Navigate to the install/openssl-ca  folder where the Directory Management installation package is extracted (same as in item 4 in the above document) and run the following command:
    ./generate_cert_key.sh
    Answer the questions as following (in red):

    $ ./generate_cert_key.sh
    Please provide a base name for your key and certificate files
    scimclientcert
    Are you requesting a certificate for your dxagent client (1) or for your dxagent server (2) ?
    1
    Please provide a password for the PKCS12 file
    <password>
    Generating a RSA private key
    ......+++++
    ..................................................+++++
    writing new private key to '/opt/CA/Directory/dxserver/media/linux_x86_64/management-ui/install/openssl-ca/out/scimclientcert.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:AU
    State or Province Name (full name) []:Victoria
    Organization Name (eg, company) []:CA Technologies
    Organizational Unit Name (eg, section) []:CA Directory
    Common Name (eg, your dxagent client name or your dxagent servers hostname) []:SCIM for <hostname>
    Using configuration from /opt/CA/Directory/dxserver/media/linux_x86_64/management-ui/install/openssl-ca/openssl-ca.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'AU'
    stateOrProvinceName   :ASN.1 12:'Victoria'
    organizationName      :ASN.1 12:'CA Technologies'
    organizationalUnitName:ASN.1 12:'CA Directory'
    commonName            :ASN.1 12:'SCIM for hostname'
    Certificate is to be certified until Sep  9 01:17:42 2023 GMT (365 days)

    Write out database with 1 new entries
    Data Base Updated
    Your certificate and key are stored in the PKCS12 file - /opt/CA/Directory/dxserver/media/linux_x86_64/management-ui/install/openssl-ca/out/scimclientcert.p12
    Your certificate is stored in file - /opt/CA/Directory/dxserver/media/linux_x86_64/management-ui/install/openssl-ca/out/scimclientcert.pem
    Your private key is stored in file - /opt/CA/Directory/dxserver/media/linux_x86_64/management-ui/install/openssl-ca/out/scimclientcert.key
    $

  3. Copy the certificates and key files to the appropriate locations on the machine where Directory Manager resides.
    Overwrite the existing certificates and key files in the destination location with these certificates and key files:
     
File
Destination
scimclientcert.key
scimclientcert.pem
$DXUIHOME/api-server/certs
scimclientcert.key
scimclientcert.pem
scimclientcert.csr
scimclientcert.p12
$DXUIHOME/out