How to Replace the Enterprise Service Manager (ESM) Certificate
book
Article ID: 9784
calendar_today
Updated On:
Products
CA API Gateway Enterprise Service Manager (Layer 7)CA API Gateway
Issue/Introduction
In some scenarios the ESM certificate will need to be replaced; old certificate is expiring, updated certificate, etc... If you run into these situations and the ESM certificate is needed to be replaced, there are a few steps needed to be taken to ensure trust is still established between ESM & the CA API Gateway.
Environment
Enterprise Service Manager (ESM) application running on an API Gateway. All versions.
Cause
Expiring or Changing Certificate
Resolution
Log into the ESM Management Console.
Click on the Settings tab -> System Settings sub tab.
Click on the System Information section and under SSL Certificate click 'Change'.
Upload SSL certificate key store.
Log into the ESM via command line & using the ssgconfig user, select option 7) Display Enterprise Service Manager configuration menu ->
Select option Disable the Enterprise Service Manager -> Stop ESM and select yes
Select option Enable the Enterprise Service Manager (Start the ESM)
Log in the ESM Management Console -> Click on the Settings Tab -> System Settings sub tab, then highlight the SSL Certificate thumbprint and copy to a clipboard.
Log into the Gateway that will be managed via command line
Delete the OLD certificate: 5) Display Remote Management configuration menu > 4) Delete Trusted Certificate > Enter "Yes" to confirm
Add the NEW Certificate - 4) New Trusted Certificate > ESM Certificate > Copy in the thumbprint taken earlier > Trust Certificate for Remote Node Management > Enter "S" to save changes
If you have the root password select option 3) Use a privileged shell (root) and from command line type command service ssg restart
Without root password, Reboot the appliance - R) Reboot the SSG appliance (apply the new configuration) > Enter "Y" to confirm
Log into the Policy Manager of the Gateway - Tasks > Manage ESM User Mappings > Select the ESM ID under Trusted Enterprise Service Managers > Click on Remove Registration > Click "OK" to confirm Remove ESM Registration and Delete User Mappings
Log into the ESM Management Console > Establish Trust Relationship with Gateway
Re-map all user accounts to the Gateway.
Repeat steps 7 to 9 for each Gateway that is managed by ESM.
Additional Information
The appliances of the Gateway and ESM must be restarted for completion so that the new certificates are recognized.