You must renew a soon-to-expire or expired agent certificate. If an agent certificate has
expired or is due for expiry, you are notified by a link on the Welcome page of the IBM® Security Guardium® Key Lifecycle Manager graphical user interface.
Before you begin
To renew the certificate with a CA-signed certificate, ensure that the keystore has the
required CA-signed certificate in it.
Procedure
You can renew the certificate by using one of the following procedures:
- Create a new self-signed certificate.
- On the command line, navigate to the SKLM_INSTALL_HOME\agent\ directory to
access the scripts to stop and start the agent service.
- Stop the agent service.
- Rename the agentks.jks file under SKLM_INSTALL_HOME\agent\.
- Start the agent service.
- Import a CA-signed certificate in the Agent.
- On a command line, navigate to the SKLM_INSTALL_HOME\agent\ directory to
access the scripts to stop and start the agent service.
- Stop the agent service.
- Import the keystore.
- For Windows:
- agentImportKS.bat WAS_HOME KS_TYPE KS_PATH KS_PASSWORD
SKLMADMIN_USERNAME SKLMADMIN_PASSWORD ALIAS_NAME
- For Linux or AIX:
- agentImportKS.sh WAS_HOME KS_TYPE KS_PATH KS_PASSWORD
SKLMADMIN_USERNAME SKLMADMIN_PASSWORD ALIAS_NAME
Where,
KS_TYPE is the type of keystore,
KS_PATH is the
path to the keystore file,
KS_PASSWORD is the password of the keystore, and
ALIAS_NAME is optional and required only if there are multiple alias entries in
Keystore.
Example on Windows:
agentImportKS.bat "C:\Program Files\IBM\WebSphere\Liberty" "JCEKS"
"c:\thirdparty.jceks" "keystore-password" sklmadmin sklmadmin-password alias
Example on Linux or
AIX:
agentImportKS.sh "/opt/IBM/WebSphere/Liberty" "JCEKS"
"opt/thirdparty.jceks" "keystore-password" sklmadmin sklmadmin-password alias
Note: Ensure that the path to the WAS_HOME
directory is correct.
- Start the agent service.
For troubleshooting any issues that are related to the agent certificate
renewal, see the agentImportKS.log file that is located in the drive:\Program Files\IBM\GKLMV42\agent directory
for Windows, and path/IBM/GKLMV42/agent for Linux® and AIX®.