Custom certificates (e.g., Root CA, Active Directory certificates for LDAPS) that were manually imported into the Java cacerts keystore are missing after a server or cluster restart in Identity Governance and Intelligence (IGA) 15.

• Product: CA Identity Suite (IGA 15)
• Version: 15.0.0-25 (Fix Pack 5) and above
• OS: Ubuntu 22.04.5 LTS (or other supported Linux distributions)

In IGA 15, the suite service is designed to manage service-to-service communication security dynamically. During every service startup or cluster restart, the suite service refreshes the active Java cacerts truststore by overwriting it with internal configurations.

Any certificates manually added to the standard Java path (e.g., $JAVA_HOME/lib/security/cacerts) are lost because they are not part of the persistent configuration managed by the IGA 15 framework.

To persist custom certificates across restarts in IGA 15, they must be imported into the trust.p12 truststore located in the cluster_conf directory. The suite service automatically merges the contents of this file into the Java cacerts during the startup sequence.

Steps to Persist Certificates

This command will make changes to your system. Review it carefully before running.

1. Locate the persistent truststore: The file is located at: /opt/brcm/iga/cluster_conf/properties/trust.p12

2. Import the custom certificate: Use the keytool command to import your Root CA or server certificate into the trust.p12 file.

   bash

    

   keytool -importcert -file <your_ca_cert_file> -alias <unique_alias> -keystore /opt/brcm/iga/cluster_conf/properties/trust.p12 -storetype PKCS12

3. Restart the IGA services: This command will make changes to your system. Review it carefully before running.

   bash

    

   igactl restart idm

4. Verify persistence: After the restart, verify the certificate has been merged into the active Java cacerts: Review this command before running it.

   bash

    

   keytool -list -v -cacerts -storepass changeit | grep -i <your_alias>