Reconfiguring the certifications of Verify Identity Access Java applications

Edit online

To use the new policy server certificate authority, you must reconfigure the PDCA in the configured Java™ run time. You must also reconfigure the certificates of any Verify Identity Access Java application that uses the IBM Verify Identity Access Runtime for Java. First, update the IBM Verify Identity Access Runtime for Java configuration. Then, update the certificate of each Verify Identity Access Java application that uses the run time.

Before you begin

Back up all the files in [JRE]/PolicyDirector. For WebSphere Application Server version 8.0 and later, the directory is [WAS_HOME]/tivoli/tam/PolicyDirector.

About this task

This procedure updates the IBM Verify Identity Access Runtime for Java files. Then it updates the individual Verify Identity Access Java components with the IBM Verify Identity Access Runtime for Java.

The IBM Verify Identity Access Runtime for Java files that must be updated are the PDCA.ks file and the ssl-compliance property in the PD.properties file.

There are several ways that you can reconfigure the certification of a Verify Identity Access Java application:
  • Unconfigure and then reconfigure the IBM Verify Identity Access Runtime for Java.
  • Obtain a PDCA.ks file from another IBM Verify Identity Access Runtime for Java that was already updated. Then, copy the file into the target IBM Verify Identity Access Runtime for Java.

    If you configured the Java application with the Verify Identity Access, version 7.0, configuration program, you specified a location for the PDCA.ks file. Replace the PDCA.ks file at that location instead of the location in the JRE.

    1. To locate the PDCA.ks file, open the properties configuration file of your application for IBM Verify Identity Access Runtime for Java. For example, the file might be named pdwpm.properties.
    2. In the file, find the pdca-url entry. The entry specifies the PDCA.ks file path.
      pdca-url=file\:/user_supplied_path/PDCA.ks
    3. Write the PDCA.ks file from an updated IBM Verify Identity Access Runtime for Java into the location that the pdca-url entry specifies.
  • Also update the ssl-compliance entry, if it exists. For example:
    ssl-compliance=none

    Change the value to the appropriate compliance level for Java application that you configured with Verify Identity Access, version 7.0.

    For example:
    ssl-compliance=suite-b-192

Procedure

  1. Update the PDCA.ks and PD.properties files by unconfiguring the Java runtime and then reconfiguring it.
    Note:
    • This step removes all files in the [JRE]/PolicyDirector directory and then re-creates the files. For WebSphere Application Server version 8.0 and later, the directory is [WAS_HOME]/tivoli/tam/PolicyDirector.
    • If any file under this directory was customized, then you must reapply the customization to the new file.
    • At this step, do not unconfigure the Verify Identity Access Java applications that are configured to use the JRE.

    You might need more information about configuring or unconfiguring Verify Identity Access run time for Java. See the pdjrtecfg command utility in the IBM Verify Identity Access for Web Command Reference.

  2. Update the WebSphere® profile if:
    • The Verify Identity Access compliance type changed and
    • The Verify Identity Access Java applications run in a WebSphere profile.
    The FIPS security mode must match the Verify Identity Access compliance level.
  3. Stop any processes that are using the JRE.
    For example, stop any WebSphere profiles that are using the JRE.
  4. Update the ssl.client.props file of the WebSphere profile to allow WebSphere client applications to communicate with the profile if:
    • You are using a WebSphere Java run time and
    • You changed the FIPS security mode of the run time.
    o
  5. Regenerate the certificates of each SvrSslCfg Verify Identity Access Java application.
    This example illustrates how to reconfigure the Verify Identity Access WebSphere Portal Manager certificates: 
    java com.tivoli.pd.jcfg.SvrSslCfg -action replcert -admin_id sec_master 
 -admin_pwd -cfg_file /opt/PolicyDirector/java/export/pdwpm/pdwpm.properties
  6. Start the JRE and ensure that it operates properly in the updated Java run time.
    For WebSphere, start the WebSphere profile to start the JRE.

What to do next

Repeat this procedure for any other Verify Identity Access Java run times that are on the system.