Replacing a keycert file in Sterling Secure Proxy System certificate keystore for netmap nodes

Body

When you have a public CA signed certificate in a keycert file that is about to expire you can replace the entire keycert certificate file in the System certificate key store. This procedure will eliminate the need of adding a new keycert file name to the SSP System certificate key store and changing every netmap node to point to the new keycert file name.

If you haven't already done this, you must first create a new keycert file with the private key and CA signed public certificate. The IBM Sterling Certificate Wizard can be used to assist in this process.

Once you have a valid keycert certificate file the next steps will guide you through updating your current keycert file in the SSP System certificate key store.

The next 8 steps are to test adding the new keycert file to a copy of the current production keycert file. This test can be performed without any interruption to the production environment.

1. Make a copy of the existing keycert file for testing purposes. Go to the Credentials tab > Certificate Stores > System Certificate Stores and click on the Key Store which contains the current production keycert file you are going to eventually replace with the new keycert file.

2. Select the keycert and then at the bottom of the screen click the Copy button.

3. Put in the private key password and confirm the password, click OK then Save.

You will now see a copy of the current production keycert file.

4. Now select the copied keycert file and click on the Edit button at the bottom of the screen.

5. If the private key password has changed in the new keycert change that now in the screen and confirm the new password  otherwise go on to the next step.

6. Browse for the new replacement keycert file, Click Open, click OK then Save.

You have now replaced the copied production keycert file. with the new keycert file.

7. Now change just 1 netmap that you can use to test to point to the Copied keycert that has the updated keycert file. Click on the Configuration tab > Netmaps > Netmap name. Select the netmap you are going to use to test with and then click Edit at the bottom of the screen. Click on the Security tab, select the Key Store where the copied production keycert is located then select the Copied keycert in the Key/System Certificate box. Click OK then Save. Wait for the configuration to be pushed to the SSP engine. The default is usually 30 seconds.

8. Now run a test from the client that uses the netmap you just updated. Make sure that the test cleint has the new CA trusted root and intermediate certificates in their trusted.txt file or truststore, whichever is applicable.

If the test is successful this concludes the test cycle for updating the keycert file.

It's now time to update the current production keycert file.

1. Make a backup copy of the SSP CM install directory. If anything goes wrong this is your only means of restoring back the SSP CM to the way it was before you made the change.

2. Go to the Credentials tab > Certificate Stores > System Certificate Stores and click on the Key Store which contains the production key certificate you are going to replace.

3. Now select the current production keycert file and click on the Edit button at the bottom of the screen.

4. If the private key password has changed in the new keycert change that now in the screen and confirm the new password  otherwise go on to the next step.

5. Browse for the new replacement keycert file, the same one you added in the test cycle above, then Click Open, click OK then Save.

You have now replaced the production keycert file. with the new keycert file.

Make sure that all the clients have the new CA trusted root and intermediate certificates in their trusted.txt file or truststore, whichever is applicable.