Reconfiguring the certifications of Security Verify Access Java applications

To use the new policy server certificate authority, you must reconfigure the PDCA in the configured Java™ run time. You must also reconfigure the certificates of any Security Verify Access Java application that uses the IBM Security Verify Access Runtime for Java. First, update the IBM Security Verify Access Runtime for Java configuration. Then, update the certificate of each Security Verify Access Java application that uses the run time.

Before you begin

Back up all the files in [JRE]/PolicyDirector. For WebSphere Application Server version 8.0 and later, the directory is [WAS_HOME]/tivoli/tam/PolicyDirector.

About this task

This procedure updates the IBM Security Verify Access Runtime for Java files. Then it updates the individual Security Verify Access Java components with the IBM Security Verify Access Runtime for Java.

The IBM Security Verify Access Runtime for Java files that must be updated are the PDCA.ks file and the ssl-compliance property in the PD.properties file.

There are several ways that you can reconfigure the certification of a Security Verify Access Java application:

Unconfigure and then reconfigure the IBM Security Verify Access Runtime for Java.
Obtain a PDCA.ks file from another IBM Security Verify Access Runtime for Java that was already updated. Then, copy the file into the target IBM Security Verify Access Runtime for Java.
If you configured the Java application with the Security Verify Access, version 7.0, configuration program, you specified a location for the PDCA.ks file. Replace the PDCA.ks file at that location instead of the location in the JRE.
1. To locate the PDCA.ks file, open the properties configuration file of your application for IBM Security Verify Access Runtime for Java. For example, the file might be named pdwpm.properties.
2. In the file, find the pdca-url entry. The entry specifies the PDCA.ks file path.
```
pdca-url=file\:/user_supplied_path/PDCA.ks
```
3. Write the PDCA.ks file from an updated IBM Security Verify Access Runtime for Java into the location that the pdca-url entry specifies.
Also update the ssl-compliance entry, if it exists. For example:
```
ssl-compliance=none
```
Change the value to the appropriate compliance level for Java application that you configured with Security Verify Access, version 7.0.
For example:
```
ssl-compliance=suite-b-192
```

Procedure

Update the PDCA.ks and PD.properties files by unconfiguring the Java runtime and then reconfiguring it.
Note:
- This step removes all files in the [JRE]/PolicyDirector directory and then re-creates the files. For WebSphere Application Server version 8.0 and later, the directory is [WAS_HOME]/tivoli/tam/PolicyDirector.
- If any file under this directory was customized, then you must reapply the customization to the new file.
- At this step, do not unconfigure the Security Verify Access Java applications that are configured to use the JRE.
You might need more information about configuring or unconfiguring Security Verify Access run time for Java. See the pdjrtecfg command utility in the IBM Security Verify Access for Web Command Reference.
Update the WebSphere® profile if:
- The Security Verify Access compliance type changed and
- The Security Verify Access Java applications run in a WebSphere profile.
The FIPS security mode must match the Security Verify Access compliance level.
Stop any processes that are using the JRE.
For example, stop any WebSphere profiles that are using the JRE.
Update the ssl.client.props file of the WebSphere profile to allow WebSphere client applications to communicate with the profile if:
- You are using a WebSphere Java run time and
- You changed the FIPS security mode of the run time.
o
Regenerate the certificates of each SvrSslCfg Security Verify Access Java application.
This example illustrates how to reconfigure the Security Verify Access WebSphere Portal Manager certificates:
```
java com.tivoli.pd.jcfg.SvrSslCfg -action replcert -admin_id sec_master 
 -admin_pwd -cfg_file /opt/PolicyDirector/java/export/pdwpm/pdwpm.properties
```
Start the JRE and ensure that it operates properly in the updated Java run time.
For WebSphere, start the WebSphere profile to start the JRE.

What to do next

Repeat this procedure for any other Security Verify Access Java run times that are on the system.