How to Replace the Enterprise Service Manager (ESM) Certificate
search cancel

How to Replace the Enterprise Service Manager (ESM) Certificate

book

Article ID: 9784

calendar_today

Updated On:

Products

CA API Gateway Enterprise Service Manager (Layer 7) CA API Gateway

Issue/Introduction

  • In some scenarios the ESM certificate will need to be replaced; old certificate is expiring, updated certificate, etc... If you run into these situations and the ESM certificate is needed to be replaced, there are a few steps needed to be taken to ensure trust is still established between ESM & the CA API Gateway. 



Environment

  • Enterprise Service Manager (ESM) application running on an API Gateway. All versions.

Cause

Expiring or Changing Certificate

Resolution

  1. Log into the ESM Management Console.
  2. Click on the Settings tab -> System Settings sub tab.
  3. Click on the System Information section and under SSL Certificate click 'Change'.
  4. Upload SSL certificate key store.
  5. Log into the ESM via command line & using the ssgconfig user, select option 7) Display Enterprise Service Manager configuration menu -> 
    1. Select option Disable the Enterprise Service Manager -> Stop ESM and select yes
    2. Select option Enable the Enterprise Service Manager (Start the ESM)
  6. Log in the ESM Management Console -> Click on the Settings Tab -> System Settings sub tab, then highlight the SSL Certificate thumbprint and copy to a clipboard.
  7. Log into the Gateway that will be managed via command line
    1. Delete the OLD certificate:  5) Display Remote Management configuration menu > 4) Delete Trusted Certificate > Enter "Yes" to confirm
    2. Add the NEW Certificate - 4) New Trusted Certificate > ESM Certificate > Copy in the thumbprint taken earlier > Trust Certificate for Remote Node Management > Enter "S" to save changes
    3. If you have the root password select option 3) Use a privileged shell (root) and from command line type command service ssg restart
      • Without root password, Reboot the appliance - R) Reboot the SSG appliance (apply the new configuration) > Enter "Y" to confirm
  8. Log into the Policy Manager of the Gateway - Tasks > Manage ESM User Mappings > Select the ESM ID under Trusted Enterprise Service Managers > Click on Remove Registration > Click "OK" to confirm Remove ESM Registration and Delete User Mappings
  9. Log into the ESM Management Console > Establish Trust Relationship with Gateway
  10. Re-map all user accounts to the Gateway.
  11. Repeat steps 7 to 9 for each Gateway that is managed by ESM.

Additional Information

  • The appliances of the Gateway and ESM must be restarted for completion so that the new certificates are recognized.