You can replace the default SHA2 GIM certificates with SHA1 or SHA256 without
interrupting the GIM server to GIM client communication.
About this task
The GIM server-GIM client
communication is secured by an encrypted channel and authentication. When you install GIM, it uses default
Guardium certificates that are privately signed. If the GIM client
communication fails with the certificate that is installed by default, then you can replace GIM certificates
with SHA1 or SHA256. The clients and the server do not lose any communication.The following
conditions must be met for the replace certificate command to work as expected:
- GIM
uses default certificates that are privately signed.
- You are using the latest GIM bundle.
- You updated GIM and GIM CA
certificates in Tomcat keystore to SHA1 or SHA256.
Procedure
-
To check the currently installed certificate, run the following command on the Guardium
CLI.
show certificate gim server
You can see the
details of the currently installed certificate.
- To update the certificate to SHA1 or SHA256, run the following command and enter
y.
replace certificate gim
algorithm
USAGE:replace certificate gim algorithm < default
| default_sha1 >, where 'default' represents SHA256 and 'default_sha1' represents SHA1
signature algorithm.
- Restart the Guardium GUI after replacing the default certificate by using the following
command.