IBM Support

Steps to Reconfigure VPN Following Sub-CA Certificate Renewal - January 2025

How To


Summary

The sub-CA that issues the certificate used for Cloud Extender VPN Configuration is expiring in January 2025 (January 12th in M1, M2, M4 and January 16th in M3). The leaf certificates issued by this sub-CA will also expire in the above mentioned dates and render the VPN configurations unusable.

Objective

Post renewal of the sub-CA certificate, which is scheduled on 6th of Jan 2025, we request administrators to perform the steps below to reconfigure their VPN configuration and generate a new certificate. This document provides the steps on updating the VPN configuration after the renewal of the Sub-CA certificate. This affects only customers who have the Cloud Extender VPN module configured.

Environment

This applies to all MaaS360 instances.

Steps

Updating certificate in standalone VPN configuration:

  1. Log in to the Cloud Extender server, where VPN is configured.
  2. Open MaaS360 Config Utility, go to VPN tile, the cluster will be visible.
    image-20241220114620-1
  3. Click on Edit icon as highlighted in above screen shot, below screen will appear.

    image-20241220114954-2
  4. Make sure to note down all the configuration details from the "Cluster Details" screen.

    image-20241220115011-3
  5. Click Next and then click Cancel, you will come back to VPN configuration cluster page.

    image-20241220115039-4
  6. Click on the VPN configuration again and delete the existing cluster.

    image-20241220115053-5
     
  7. Create a new cluster from the configuration copied from Step #4 (above) and make sure the "Test" while configuring the VPN is successful.
  8. Navigate to the directory "C:\ProgramData\MaaS360\Cloud Extender\AR\DATA\VPN" and check for newly created certificate file (details below)

    image-20241220115102-6

Updating certificate in VPN cluster configuration:

  1. Follow steps mentioned above in one Cloud Extender server.
  2. Export the newly generated certificate from the Cloud Extender by copying ca.crt and server.crt from C:\ProgramData\MaaS360\Cloud Extender\AR\DATA\VPN. And import it to another Cloud Extender server by pasting in the file in the same location.

Portal Changes to update VPN configuration:

Administrators have to repeat these below steps (for Android policy as well) if they have both iOS and Android devices configured for VPN.
  1. Login to the portal and navigate to Policies.
  2. Click on the policy (which is configured to use VPN) and edit the policy.
  3. Edit the VPN Connection name (to identify that the cluster configuration is changed)
  4. Make sure to select the updated cluster name (the one configured above) under the dropdown "Select VPN server".

    image-20241220115614-7
     
  5. Save and publish the policy.

Additional Information

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m0z000000GnO3AAK","label":"CLOUD EXTENDER"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
24 December 2024

UID

ibm17179603

Page Feedback