Replacing default GIM certificate with SHA1 or SHA256 certificate

You can replace the default SHA2 GIM certificates with SHA1 or SHA256 without interrupting the GIM server to GIM client communication.

About this task

The GIM server-GIM client communication is secured by an encrypted channel and authentication. When you install GIM, it uses default Guardium certificates that are privately signed. If the GIM client communication fails with the certificate that is installed by default, then you can replace GIM certificates with SHA1 or SHA256. The clients and the server do not lose any communication.
The following conditions must be met for the replace certificate command to work as expected:
  • GIM uses default certificates that are privately signed.
  • You are using the latest GIM bundle.
  • You updated GIM and GIM CA certificates in Tomcat keystore to SHA1 or SHA256.

Procedure

  1. To check the currently installed certificate, run the following command on the Guardium CLI.
    show certificate gim server 
    You can see the details of the currently installed certificate.
  2. To update the certificate to SHA1 or SHA256, run the following command and enter y.
     replace certificate gim algorithm
    USAGE:replace certificate gim algorithm < default | default_sha1 >, where 'default' represents SHA256 and 'default_sha1' represents SHA1 signature algorithm.
  3. Restart the Guardium GUI after replacing the default certificate by using the following command.
    restart gui