This document provides the steps to update certificates for internal communication only (ie, port 443), which serves as the internal communication channel between the server and agent. 

Starting from PAM 4.4 CP04, we have introduced a new configuration parameter, transport.secure.custom.cert, to enable custom certificates.

If ONLY agents are not functional, then it is a good idea to verify these parameters.

For example, if the certificate expires, users may see logs in the c2o.log like:

2025-10-24 15:45:18,901 ERROR [com.optinuity.c2o.transport.CertificateManager] [33-dc5477d0525e] Certificate has expired -

2025-10-24 15:45:18,901 WARN  [com.optinuity.c2o.transport.Client] [33-dc5477d0525e] IO Error or connection aborted while executing request or processing HTTP response.
javax.net.ssl.SSLHandshakeException: Error validating server is trusted, No valid certificate found in certificate chain

Caused by: java.security.cert.CertificateException: Error validating server is trusted, No valid certificate found in certificate chain

2025-10-24 15:45:18,901 ERROR [com.optinuity.c2o.transport.CertificateTrustManager] [8b-602a830036af] Error validating server is trusted - 
java.security.cert.CertificateException: No valid certificate found in certificate chain

The c2o.log file will list all the parameters of the expired certificate in the "Certificate has expired -..." log.

1. Generate a self-signed certificate with a 2048-bit RSA key:

keytool -genkey -alias <Alias Here> -keyalg RSA -keysize 2048 -keystore <Keystore Name Here>.jks

Example:

keytool -genkey -alias agentkeystore -keyalg RSA -keysize 2048 -keystore agentkeystore.jks

Note 1: Run the keytool command from %JAVA_HOME%\bin located in the ITPAM server(s)

Note 2: A stronger key would be with a key size of 4096 using -keysize 4096

Note 3: Use the KEYSTOREID of the PAM\wildfly\standalone\.config\OasisConfig.properties as the password for the new JKS file.

2. Configure PAM\wildfly\standalone\.config\OasisConfig.properties with the self-signed certificate details and add the following items:

transport.secure.custom.cert=true

itpam.custom.transport.keystorepath=<local drive>/PAM/wildfly/standalone/.config/<Keystore Name Here>.jks

itpam.custom.transport.keystore.password=<encrypted password>

itpam.custom.transport.keystorealias=<Alias From Step 1 Here>

Note: Under itpam.custom.transport.keystore.password, you can use the same value set for itpam.web.keystore.password, since it's the same password.

3. Restart the ITPAM service to apply the changes.

Note 1: This configuration will only be effective if PAM is installed in HTTPS mode, and it's for the PAM Orchestrator port. (Not the Load balancer port.)

Note 2: In a clustered environment, these steps need to be performed on all nodes.