Renewing an agent certificate

You must renew a soon-to-expire or expired agent certificate. If an agent certificate has expired or is due for expiry, you are notified by a link on the Welcome page of the IBM Security Guardium Key Lifecycle Manager graphical user interface.

Before you begin

To renew the certificate with a CA-signed certificate, ensure that the keystore has the required CA-signed certificate in it.

Procedure

You can renew the certificate by using one of the following procedures:

  • Create a new self-signed certificate.
    1. On the command line, navigate to the SKLM_INSTALL_HOME\agent\ directory to access the scripts to stop and start the agent service.
    2. Stop the agent service.
      For more information, see Stop Agent.
    3. Rename the agentks.jks file under SKLM_INSTALL_HOME\agent\.
    4. Start the agent service.
      For more information, see Agent Starter.
  • Import a CA-signed certificate in the Agent.
    1. On a command line, navigate to the SKLM_INSTALL_HOME\agent\ directory to access the scripts to stop and start the agent service.
    2. Stop the agent service.
      For more information, see Stop Agent.
    3. Import the keystore.
    • For Windows:
      - agentImportKS.bat WAS_HOME KS_TYPE KS_PATH KS_PASSWORD 
      SKLMADMIN_USERNAME SKLMADMIN_PASSWORD ALIAS_NAME
    • For Linux or AIX:
      - agentImportKS.sh WAS_HOME KS_TYPE KS_PATH KS_PASSWORD 
      SKLMADMIN_USERNAME SKLMADMIN_PASSWORD ALIAS_NAME
    Where, KS_TYPE is the type of keystore, KS_PATH is the path to the keystore file, KS_PASSWORD is the password of the keystore, and ALIAS_NAME is optional and required only if there are multiple alias entries in Keystore.
    Example on Windows:
    agentImportKS.bat "C:\Program Files\IBM\WebSphere\Liberty" "JCEKS" 
    "c:\thirdparty.jceks" "keystore-password" sklmadmin sklmadmin-password alias
    Example on Linux or AIX:
    agentImportKS.sh "/opt/IBM/WebSphere/Liberty" "JCEKS" 
    "opt/thirdparty.jceks" "keystore-password" sklmadmin sklmadmin-password alias
    Note: Ensure that the path to the WAS_HOME directory is correct.
  • Start the agent service.
    For more information, see Agent Starter.
For troubleshooting any issues that are related to the agent certificate renewal, see the agentImportKS.log file that is located in the drive:\Program Files\IBM\GKLMV421\agent directory for Windows, and path/IBM/GKLMV421/agent for Linux® and AIX®.