IBM Support

Customers using the Verify SaaS Adapter need to update the trusted root certificates in their Dispatcher configuration (on‑prem or container)

Release Notes


Abstract

Effective October 13, 2025, certificates for *.verify.ibm.com hostnames would be renewed.
Action: To avoid any impact, the Customers that are using the Verify SaaS Adapter need to update the trusted root certificates in their Dispatcher configuration (on‑prem or container) before October 13, 2025.

This document provides detailed information about the steps to be followed to update the certification.

Content

What you need to do
 
On‑prem Dispatcher setup
  1. Download the root CA certificates from the IBM Knowledge Base.
  2. Copy the “Root (Trust Chain) for ECDSA” content to a file named `VerifyRootECDSA.pem`. Copy the “Root (Trust Chain) for RSA” content to a file named `VerifyRootRSA.pem`.
  3. Convert the PEM files to DER format: 
    openssl x509 -outform der -in VerifyRootECDSA.pem -out VerifyRootECDSA.der<br>openssl x509 -outform der -in VerifyRootRSA.pem -out VerifyRootRSA.der
  4. Import the DER files into the Dispatcher trust store. Default trust store: 
    ITDI_HOME/timsol/serverapi/testadmin.jks
    (check `javax.net.ssl.trustStore` in `ITDI_HOME/timsol/solution.properties` if it differs.

    keytool -import -alias VerifyRootECDSA -file VerifyRootECDSA.der -keystore <truststore_path>.jks<br>keytool -import -alias VerifyRootRSA   -file VerifyRootRSA.der   -keystore <truststore_path>.jks
  5. Restart the Dispatcher instance so the new trust store is picked up.
 
Container‑based Dispatcher setup
  1. Download the root CA certificates from the IBM Knowledge Base.
  2. Save the "Root (Trust Chain) for ECDSA" and "Root (Trust Chain) for RSA" PEM contents to `VerifyRootECDSA.pem` and `VerifyRootRSA.pem` respectively.
  3. Add the certificates to the container configuration (choose the appropriate path based on your environment):
    • 3A – Non‑ISVG‑IM container: Place the two PEM files in the `certs` directory of the config volume that also contains `config.yaml`. Edit `config.yaml` (referenced by the `YAML_CONFIG_FILE` env var) and add the certificates to the `trusted‑certificates` list:
      keyfile:trusted‑certificates:    
- '@/<Path_to_config_directory>/certs/VerifyRootECDSA.pem 
- '@/<Path_to_config_directory>/certs/VerifyRootRSA.pem
    • 3B – Non‑ISVG‑IM containerPlace the two PEM files `VerifyRootECDSA.der` and `VerifyRootRSA.der` to `<path_to_starterkit>/config/certs`. Edit `adapterconfig.yaml` and add the certificates to the`trusted‑certificates` list:
      keyfile:trusted‑certificates:    
- '@/<path_to_starterkit>/config/certs/VerifyRootECDSA.pem'
- '@/<path_to_starterkit>/config/certs/VerifyRootRSA.pem'
      Run the starter‑kit script to rebuild the container config: 
      <path_to_starterkit>/bin/createConfigs.sh isvdi
  4. Restart the `isvdi` container (or the relevant Dispatcher container) to apply the new trust store.
 Quick Checklist 
  • Download root CA PEMs from KB.
  • Save as `VerifyRootECDSA.pem` / `VerifyRootRSA.pem`
  • On‑prem: Convert to DER and import into the correct JKS trust store.
  • Container: Add PEM files to the config volume and reference them in `config.yaml`.
  • Restart the Dispatcher (or container) after the trust store update.

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBM27","label":"IBM Security Verify Governance"},"ARM Category":[{"code":"a8m0z0000001hi9AAA","label":"Identity Governance \u0026 Intelligence-\u003EAdapters"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.0;and future releases"}]

Product Synonym

ISIM;IGI;ISVG;ISVGIM;Identity Manager;Adapters; IVIG

Document Information

Modified date:
04 October 2025

UID

ibm17247066

Page Feedback