Upgrade the keysize of EEM certificates
search cancel

Upgrade the keysize of EEM certificates

book

Article ID: 251518

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Security standards of the applications using  Embedded Entitlement Manager (EEM) for authentications and authorisations do not allow certificates with a key length less than 2048.

The EEM installed the certificates with a keysize of 1024 by default.

# cd /opt/CA/SharedComponents/iTechnology
# openssl x509 -in igateway.cer -text -noout | grep "Public-Key"
Public-Key: (1024 bit)
This document explains the procedures to upgrade the key length and digest algorithm to meet the requirement.

Environment

Release : 12.6 and higher

Component : Embedded Entitlement Manager (EEM)

Cause

The applications fails to communicate with EEM server having keysize less than the standard.

Resolution

Login to the EEM server as the owner of the EEM install directories (root)-

Take a backup of the files:

/opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/personalities/itechpoz.pem

/opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz-trusted.pem

All *.conf, *.xml, *.cer, and *.key * files from directory /opt/CA/SharedComponents/iTechnology

Set the required environment variables -

# export EIAM_HOME=/opt/CA/SharedComponents/EmbeddedEntitlementsManager
# export JAVA_HOME=$EIAM_HOME/jre
# export PATH=$EIAM_HOME/jre/bin:$PATH

Navigate to $EIAM_HOME/bin and execute eiam-clustersetup.jar as shown below -

# cd $EIAM_HOME/bin

# java -jar eiam-clustersetup.jar 
Oct 06, 2022 1:39:25 AM IclUtil itechLibInit
INFO: iTechSDK initialized successfully
INFO  - EIAM_HOME [/opt/CA/SharedComponents/EmbeddedEntitlementsManager/]
INFO  - IGW_LOC [/opt/CA/SharedComponents/iTechnology/]
INFO  - DXHOME [/opt/CA/SharedComponents/CADirectory/dxserver/]
INFO  - Hostname identified as [eem-server]
INFO  - Failover tool is running on primary server
INFO  - Checking server status
INFO  - igateway status      [started]
INFO  - dxserver status      [started]

Are you sure you want to continue? [Y/N]:Y
[eem-server]>modifycerts
INFO  - Enter Certificate Key Length [default = 1024]
INFO  -    [1] 1024
INFO  -    [2] 2048
INFO  -    [3] 4096
Select key length from [1 - 3] : 2
Enter Digest Algorithm [default = SHA256]
INFO  - Enter Digest Algorithm [default = SHA256]
INFO  -    [1] SHA1
INFO  -    [2] SHA256
INFO  -    [3] SHA384
INFO  -    [4] SHA512
Select Digest algorithm from [1 - 4] : 2
=======================================================
INFO  - Summary
=======================================================
INFO  - Upgrading all certificates to key length: [2048]
INFO  - Upgrading all certificates to [digest algorithm : SHA256]
-------------------------------------------------------
Are you sure you want to continue? [Y/N]:Y
INFO  - Stopping dxserver service
INFO  - Stopping igateway service
INFO  - Generating : iAuthority certificates [key length: 2048, digest algorithm: SHA256
INFO  - Generating : iControl certificates [key length: 2048, digest algorithm: SHA256
INFO  - Generating : iGateway certificates [key length: 2048, digest algorithm: SHA256
INFO  - Generating : iauthority sdk configuration [/opt/CA/SharedComponents/iTechnology/iAuthority.iTechSDK.xml]
INFO  - Generating : DSA certificates [key length: 2048, digest algorithm: SHA256
INFO  - 
INFO  - 
INFO  - Generating file : /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz-trusted.pem
INFO  - 
INFO  - Starting dxserver service
INFO  - Starting igateway service
INFO  - Run [status] to get server details.
[eem-server]>status
INFO  - Checking server status
INFO  - igateway status      [started]
INFO  - dxserver status      [started]
[eem-server]>exit
#

The certificates are now been successfully regenerated. Follow the instructions from the respective application(s) relied on EEM to configure them to use the new certificates.

 

Additional Information

Certificates with Custom Key Length for CA EEM Server