Renew an expired SSL certificate for Admin Console, CABI or OC
search cancel

Renew an expired SSL certificate for Admin Console, CABI or OC

book

Article ID: 121612

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) Unified Infrastructure Management for Mainframe CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

After implementing HTTPS in Admin Console, CABI or OC by following the documentation here, an SSL certificate will eventually expire and need to be renewed.  

This article describes two methods for renewing an existing SSL certificate associated with a wasp probe (Admin Console, CABI or OC).

 It is important to be familiar with using the Java keytool utility to generate certificate requests and import certificates. This process is documented here:

Configure HTTPS in Admin Console or Operator Console (Self-Signed Certificate)

   or

Configure HTTPS in Admin Console or Operator Console (Authority-Signed Certificate)

During this process, when initially setting up SSL for OC or Admin Console, a callback is run on the wasp probe called ssl_reinitialize_keystore to set the initial password for the keystore. It is critical that you remember or record this password for future certificate renewals.  If you do not remember it, you will need to start the entire process from scratch, as if it was the first time you are implementing a new certificate.

Environment

Release: DX UIM 20.4.x / 23.4

Component: OC (Operator Console) / Admin Console

Cause

Guidance

Resolution

Option 1 - If you remember/recorded the keystore password:

If you remember/recorded the keystore password from the initial setup then renewing the certificate is a simple process.

First, you should have received an updated .CER or .CRT file from your Certificate Authority in response to your renewal request.  It is assumed that you issued a request for a renewal of the existing certificate that you've been using for OC/Admin Console.

Place this file into the appropriate location under (INSTALL LOCATION)/probes/service/wasp/conf/ on the OC/Admin Console server(s).

Next, you will use the Java Keytool to replace the certificate:

<OC or UIM server_installation>/jre/<jre_version>/bin/keytool  -import  -trustcacerts  -alias wasp  -file <your_domain>.crt  -keystore <OC or UIM Server_installation>Nimsoft/probes/service/wasp/conf/wasp.keystore

Example (windows x86)

X:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool -import -trustcacerts -alias wasp -file certificate.cer -keystore "X:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore"

If prompted to overwrite the existing alias - enter "yes" at the prompt.

You will need to provide the keystore password at this point.

Once this is done you can simply restart the wasp probe & cabi if applicable and the new certificate will be in place.

 

Option 2 - If you do not remember/did not record the initial keystore password:

If you did not record or remember the password from the initial certificate creation, the only option is to proceed as if you are generating a brand-new request.  That is to say, you must reinitialize the keystore, generate a new Certificate Signing Request, request a new certificate, and install it based on the documentation linked above.

Additional Information

Note for customers using the built-in, self-signed certificates:

If you are using the default/built-in self-signed certificate for SSL in your environment, as opposed to a CA-issued certificate, the process to renew the certificate is as follows:

1. highlight the 'wasp' probe in Infrastructure Manager and press CTRL+P for the probe utility, or select the wasp probe in Admin Console and choose "Open Probe Utility in New Window."
2. Within the Probe Utility, execute the callback "ssl_reinitialize_keystore" and provide a keystore password.
3. restart the wasp probe after executing the callback and the new/updated self-signed certificate will be in place.

Note: You do not need to remember or provide the old keystore password in this case - we are performing a "reset" of the self-signed certificate so whatever password you provide for the ssl_reinitialize_keystore callback will be the password for the new keystore/certificate going forward.

The above process will implement the default, 1024-bit SSL self-signed certificate. Some customers may have implemented a 2048-bit self-signed certificate instead.

If you have implemented a 2048-bit certificate and if you remember the keystore password, then refer to the following documentation and start at the step "Export the Private Key":

SSL Configuration

If the private key is already present you can likely move on to the next step, but it would not hurt to re-export it to make sure it is correct.

If you do not remember the keystore password, or if you have not previously used a 2048-bit certificate (or are not sure) and would like to do so, then start at the beginning of the above document to create a new keystore and certificate.