Internal system certificates about to expire - What to do?

Body

When you install IBM Sterling B2B Integrator (ISBI) or Sterling File Gateway (SFG), a set of internal system certificates are created with a validity date of 2 years in the future.

When those certificates expire, there is always some confusion when deciding which ones need to be renewed and how.
This blog aims to explain the internal system certificates usage to help you decide if you need to renew them or not.

I would like to start by stressing that you should not delete any of the internal system certificates without prior support approval, even if they have expired,

deleting internal system certificates can cause the application to stop working.
When in doubt, please contact support.

Certificates with dates appended to their names:

The certificates that have a date appended to their name, like for example OpsDrv_201405120946, are backup certificates created during installation of ISBI or
during a fixpack install; sometimes new certificates are created and the old ones are renamed; they do not need to be renewed and can be added to the
exclusion list of the "CheckExpire" service so that they no longer show in the report you receive via email.
You should have another set of certificates with the exact same name but without the date appended.
See at the bottom of the blog the procedure to add certificates to the exclusions list of the Check Expire service.

Certificates that do not need to be renewed:

The system certificates OpsDrv, B2BHttp, UIKey, OpsKey and DefDBCrypt do not need to be renewed and can be added to the exclusion list of
the "CheckExpire" service. Do not delete these certificates, they should remain on the system.

CLA2 SSL certificates:

cla2auth and cla2ssl are used by the command line adapter 2 (CLA2) for SSL purposes.
If you are using the CLA2 adapter with SSL enabled, you might need to renew the certificates if they have the validity option set, edit the certificate to verify

the options assigned; by default they are not set which means you do not need to renew the certificates and you can add them to the expire service exclusion list.
Please see below a link to a Technote with instructions on how to renew the CLA2 certificates for SSL:

http://www-01.ibm.com/support/docview.wss?uid=swg21883788

Document at rest encryption certificates:

doccrypto and doccrypto2 are used for encryption of documents at rest, so you need to verify if you are using document encryption to determine
if they need to be renewed or not.

To verify their usage, check for the following entry in security.properties: ENC_DECR_DOCS
if it is set to NONE then encryption is not used, check also your customer_overrides.properties since the entry could be there as well in
the form of:  security.ENC_DECR_DOCS

To replace the doccrypto certificate if required:
  - Create a new system certificate
  - Add the following line in
    <install_directory>properties/customer_overrides.properties file:
    security.CERT_NAME=<new certificate name>
  -Restart SBI

Dashboard SSL certificate:

ASISslCert certificate is used for the SSL connection of the default dashboard user interface on baseport+1.
So if you are accessing the dashboard or filegateway UI with HTTP, then the certificate is not in use and can be added to the
exclusion list of the "CheckExpire" service.
If you are using HTTPS then the certificate is in use and needs to be renewed.

http://hostname:baseport/dashboard    =>> HTTP (certificate not used)
https://hostname:baseport+1/dashboard  ==> HTTPS (Certificate used)

To replace the ASISslCert certificate follow the instructions below:

  -Create or import a new system certificate
  -Add the following line in
   <install_directory>/properties/customer_overrides.properties file:
   noapp.sslCert=<new certificate name>
  -Restart SBI

Note: please be aware that even if you renew some of the system certificates as explained above, we recommend to keep them
in the system and simply add them on the exclusions list of the CheckExpire service.

Add certificates to the "CheckExpire" service exclusion list:

The "CheckExpire" service is responsible to send alerts when a certificate is expired or about to expire so that you can take the
appropriate measures to renew it, if required.

Some of the options you have when configuring the service are:

   - Schedule the service to generate a report with the frequency you want, every day or every week per example.
   - Specify what type of alert, email per example.
   - Specify the email address the system will send the report to if email alert is chosen.
   - Configure how many days in advance do you want to be alerted when a certificate is about to expire.
   - Set certificates exclusions so that you no longer get alerted when an expired certificate remains in the system.

To add certificates to the exclusions list so that they no longer show in the email report, follow the instructions below:

   - Login to the dashboard and go to Deployment => Services => Configuration
   - Search for the service "Check Expire" and edit it.
   - Advance to the certificates exclusions page.
   - Add the certificates required to the Exclusion pane to the right.
   - Save the service configuration.