Upgrade the keysize of EEM certificates
Article ID: 251518
Updated On:
Products
Issue/Introduction
Security standards of the applications using Embedded Entitlement Manager (EEM) for authentications and authorisations do not allow certificates with a key length less than 2048.
The EEM installed the certificates with a keysize of 1024 by default.
# cd /opt/CA/SharedComponents/iTechnology
# openssl x509 -in igateway.cer -text -noout | grep "Public-Key"
Public-Key: (1024 bit)
Environment
Release : 12.6 and higher
Component : Embedded Entitlement Manager (EEM)
Cause
The applications fails to communicate with EEM server having keysize less than the standard.
Resolution
Login to the EEM server as the owner of the EEM install directories (root)-
Take a backup of the files:
/opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/personalities/itechpoz.pem
/opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz-trusted.pem
All *.conf, *.xml, *.cer, and *.key * files from directory /opt/CA/SharedComponents/iTechnology
Set the required environment variables -
# export EIAM_HOME=/opt/CA/SharedComponents/EmbeddedEntitlementsManager
# export JAVA_HOME=$EIAM_HOME/jre
# export PATH=$EIAM_HOME/jre/bin:$PATH
Navigate to $EIAM_HOME/bin and execute eiam-clustersetup.jar as shown below -
# cd $EIAM_HOME/bin
# java -jar eiam-clustersetup.jar
Oct 06, 2022 1:39:25 AM IclUtil itechLibInit
INFO: iTechSDK initialized successfully
INFO - EIAM_HOME [/opt/CA/SharedComponents/EmbeddedEntitlementsManager/]
INFO - IGW_LOC [/opt/CA/SharedComponents/iTechnology/]
INFO - DXHOME [/opt/CA/SharedComponents/CADirectory/dxserver/]
INFO - Hostname identified as [eem-server]
INFO - Failover tool is running on primary server
INFO - Checking server status
INFO - igateway status [started]
INFO - dxserver status [started]
Are you sure you want to continue? [Y/N]:Y
[eem-server]>modifycerts
INFO - Enter Certificate Key Length [default = 1024]
INFO - [1] 1024
INFO - [2] 2048
INFO - [3] 4096
Select key length from [1 - 3] : 2
Enter Digest Algorithm [default = SHA256]
INFO - Enter Digest Algorithm [default = SHA256]
INFO - [1] SHA1
INFO - [2] SHA256
INFO - [3] SHA384
INFO - [4] SHA512
Select Digest algorithm from [1 - 4] : 2
=======================================================
INFO - Summary
=======================================================
INFO - Upgrading all certificates to key length: [2048]
INFO - Upgrading all certificates to [digest algorithm : SHA256]
-------------------------------------------------------
Are you sure you want to continue? [Y/N]:Y
INFO - Stopping dxserver service
INFO - Stopping igateway service
INFO - Generating : iAuthority certificates [key length: 2048, digest algorithm: SHA256
INFO - Generating : iControl certificates [key length: 2048, digest algorithm: SHA256
INFO - Generating : iGateway certificates [key length: 2048, digest algorithm: SHA256
INFO - Generating : iauthority sdk configuration [/opt/CA/SharedComponents/iTechnology/iAuthority.iTechSDK.xml]
INFO - Generating : DSA certificates [key length: 2048, digest algorithm: SHA256
INFO -
INFO -
INFO - Generating file : /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz-trusted.pem
INFO -
INFO - Starting dxserver service
INFO - Starting igateway service
INFO - Run [status] to get server details.
[eem-server]>status
INFO - Checking server status
INFO - igateway status [started]
INFO - dxserver status [started]
[eem-server]>exit
#
The certificates are now been successfully regenerated. Follow the instructions from the respective application(s) relied on EEM to configure them to use the new certificates.
Additional Information
Feedback
