IBM Support

The SSP factory certificate that comes with the product is expiring December 1, 2017 at 10:54 PM EST.

Technical Blog Post


Abstract

The SSP factory certificate that comes with the product is expiring December 1, 2017 at 10:54 PM EST.

Body

The SSP factory certificate that comes with the product is expiring December 1, 2017 at 10:54 PM EST. This certificate is installed as the default certificate and is used for the secure connections to the CM GUI and between the CM and engine. If customers have not installed their own certificate to replace the factory certificate, then after the expiration date, the CM will no longer be able to communicate with the engine to push configurations and will not be able access the CM GUI securely through a web browser.


To determine if the CM and Engine is still using the factory certificate you can run the shell script configureCmSsl.sh or configureCmSsl.bat located in the Secure Proxy CM install bin directory.

Here is an example for running the script:
sspuser@l1suse1:~/SSP3430tst/sspcm1/bin> ./configureCmSsl.sh -s
IBM Sterling Secure Proxy V3.4.3.0
Copyright (c) 2017 IBM

Enter the system passphrase: <Enter the system passphrase for SSP CM>
Loading configuration files...

CM configuration:
  SSL/TLS protocol   : TLSv1
  Cipher suites      : [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]
  Key store file     : ../conf/system/cmkeystore
  Trust store file   : ../conf/system/cmtruststore
  Server alias       : factory
  Client alias       : factory

Web server configuration:
  Host               : localhost
  Port               : 8443
  Https enabled      : true
  Client auth enabled: false
  SSL/TLS protocol   : TLSv1
  Cipher suites      : [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]
  Key store file     : ../conf/system/cmkeystore
  Trust store file   : ../conf/system/cmtruststore
  Server alias       : factory

Certificates in CM key store:
[factory]
  alias   : factory
  subject : CN=Sterling Secure Proxy Factory Certificate, OU=Development, O=Sterling Commerce, L=Irving, ST=Texas, C=US
  issuer  : CN=Sterling Secure Proxy Factory Certificate, OU=Development, O=Sterling Commerce, L=Irving, ST=Texas, C=US
  serial  : 1
  version : 3
  validity: Valid from [Tue Dec 04 10:54:13 EST 2007] to [Fri Dec 01 10:54:13 EST 2017]

 

Resolving the problem:
If the CM or Webserver configuration shows the Server or Client alias as factory, then the CM and Engine is using the factory installed certificate.

If this is the case, then you will need to install your own CA signed certificate.

The following link will take you to the documentation for replacing the CM and engine certificates:

https://www.ibm.com/support/knowledgecenter/en/SS6PNW_3.4.3/com.ibm.help.ssp.secure.doc/certificates/ssp_cmc_mgcertcompnts.html

You can use the Common Certificate procedure for replacing the Engine and CM certificates with same certificate.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4PJT","label":"IBM Sterling Connect:Direct"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

UID

ibm11123407

Page Feedback