It was observed by product team that a certificate, alias: nolio, of CA Release Automation (CARA) with validity of 10 years had expired on November 26, 2020. If you have Enabled Nolio to use Single Sign-On then this expired certificate may impact your Nolio SSO setup. If it is then this article will describe how you can work around the problem. 

If the expired certificate is causing connection problems between Execution Servers and Agents, setup to communicate securely, please review the following KB Article: Agent Connection Problems: General SSLEngine problem

Release : 6.4, 6.6, 6.7

Component : CA RELEASE AUTOMATION RELEASE OPERATIONS CENTER

As displayed in the product documentation: Enable Single Sign-On

Step 4 outlines what needs to be done if you're replacing the default SAML Keystore used by Nolio. In the instructions it shows where the nolio.jks file is defined in the applicationContext-acegi-security.xml along with the nolio alias. This is the certificate that has expired. 

Please see below for workaround.

Note:

• New certificates for 6.7 are being prepared to be delivered via the next 6.7 cumulative patch (aka 6.7.3). This patch is available. Its Release Notes can be found here: Release Notes for 6.7.3
• New certificates for 6.6 are being prepared to be delivered via the next 6.6 cumulative patch (aka 6.6.8). The ETA for this cumulative is March-April of 2021. 

The workaround for this issue is to create a new, self-signed, certificate and replace the default SAML keystore. 

Please follow below instruction to generate and replace the expired certificate

keytool -genkeypair -alias nolio -sigalg SHA1WITHRSA -keyalg RSA -keystore nolio_saml.jks -storepass '*******' -validity 3650

Note: The storepass above is obfuscated and could be replaced with password used by the nolio.jks keystore (in plain text). The password for the nolio.jks can be located in file conf\server.xml on NAC. If you use a different password then be sure to update the password in the applicationContext-acegi-security.xml file - mentioned in step 4 of the product documentation. 

After a new self-signed certificate has been created, proceed with the adjustments outlined in step 4 in the product documentation for Enable Single Sign-On. If you used the command above, then at a minimum you will need to update the keystore filename to point to the nolio_saml.jks keystore created above. 

If the expired certificate is causing connection problems between Execution Servers and Agents, setup to communicate securely, please review this KB Article 204279: Agent Connection Problems: General SSLEngine Problem