How to renew an expired SSL certificate for Admin Console, CABI or UMP

book

Article ID: 121612

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management CA Unified Infrastructure Management for z Systems CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

After implementing HTTPS in Admin Console, CABI or UMP by following the documentation here, an SSL certificate will eventually expire and need to be renewed.  

This article describes two methods for renewing an existing SSL certificate associated with a wasp probe (Admin Console, CABI or UMP).

 It is important to be familiar with using the Java keytool utility to generate certificate requests and import certificates.  This process is documented here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-1/installing/optional-post-installation-tasks/configure-https-in-admin-console-or-ump.html

During this process, when initially setting up SSL for UMP or Admin Console, a callback is run on the wasp probe called ssl_reinitialize_keystore to set the initial password for the keystore. It is critical that you remember or record this password for future certificate renewals.  If you do not remember it, you will need to start the entire process from scratch, as if it was the first time you are implementing a new certificate.

Environment

Release: 8.5+, 9.10, 9.20,  20+
Component: UMP

Resolution

Option 1 - If you remember/recorded the keystore password:

If you remember/recorded the keystore password from the initial setup then renewing the certificate is a simple process.

First, you should have received an updated .CER or .CRT file from your Certificate Authority in response to your renewal request.  It is assumed that you issued a request for a renewal of the existing certificate which you've been using for UMP/Admin Console.

Place this file into the appropriate location under (INSTALL LOCATION)/probes/service/wasp/conf/ on the UMP/Admin Console server(s).

Next, you will use the Java Keytool to replace the certificate:

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool  -import  -trustcacerts  -alias wasp  -file <your_domain>.crt  -keystore <UMP or UIM Server_installation>Nimsoft/probes/service/wasp/conf/wasp.keystore

If prompted to overwrite the existing alias - enter "yes" at the prompt.


You will need to provide the keystore password at this point.

Once this is done you can simply restart the wasp probe & cabi if applicable and the new certificate will be in place.

Option 2 - If you do not remember/did not record the initial keystore password:

If you did not record or remember the password from the initial certificate creation, the only option is to proceed as if you are generating a brand new request.  That is to say, you must reinitialize the keystore, generate a new Certificate Signing Request, request a new certificate, and install it based on the documentation linked above.