Question & Answer
Question
The Web components such as Policy Server, Revere Proxy uses management certificates for internal communication. When management certificates are expired, what happen and how to renew them.
Answer
Following parameters controls expiration of management certificates and automatic renewal.
- ssl-auto-refresh
Switch of automatic renewal of management certificate. (default: yes)- ssl-cert-life
The default lifetime of management certificate in days. (default: 1460)- ssl-pwd-life
Not used now
Automatic renewal of management certificate
Policy Server, Authorization Server, Reverse proxy use management certificates issued by internal CA. The expiration date is calculated by ssl-cert-file parameter.
Each process checks management certificate expiration date and starts renewal process after half of lifetime passed.
- Success log example at renewing management certificate on Policy Server
2027-01-01-00:00:01.981+09:00I----- 0x106520EE pdmgrd NOTICE bas mts PDCertSigner.cpp 801 0x7f410ac37700
HPDBA0238I The certificate has been renewed for /var/PolicyDirector/keytab/ivmgrd.kdb.
Following logs are examples at failure situation.
- Failed at renewing a certificate before expiration on Reverse Proxy
2031-01-01-00:00:01.222+09:00I----- 0x10652121 webseald WARNING bas mts PDCertSigner.cpp 813 0x7fc87518a700 -- HPDBA0289W Automatic refresh of the certificate could not be performed because of error (0x1354a426).- Failed at using expired certificate on Reverse Proxy
2027-01-01-00:00:05.890+09:00I----- 0x10652124 webseald FATAL bas mts mtssecureenvironment.cpp 821 0x7f51e999e700 -- HPDBA0292E The certificate has expired or the date is invalid.
2027-01-01-00:00:05.900+09:00I----- 0x10652121 webseald WARNING bas mts PDCertSigner.cpp 813 0x7f51e999e700 -- HPDBA0289W Automatic refresh of the certificate could not be performed because of error (0x10652124).
The behavior of each component with expired management certificate
- Policy Server
Successfully launched. The management certificate is renewed automatically with automatic renewal is enabled. - Reverse Proxy
Failed to start
How to renew expired management certificate
- Policy Server
Enable automatic renewal and restart Policy Server - Reverse Proxy
Renew management certificate manually on LMI
https://www.ibm.com/docs/en/sva/10.0.4?topic=management-renewing-web-reverse-proxy-certificates
Renewal of internal CA certificate
The internal CA certificate for management certificates has 20 years lifetime and is not renewed automatically. The CA certificate has to be renewed on CLI manually.
With expired internal CA certificate, each component can launch up but cannot communicate each other. So, internal CA certificate has to be renewed as soon as possible.
The expiration date of management certificates has to be before expiration date of internal CA certificate. At management certificate renewal, the expiration date can be adjusted.
- The log example at adjusting expiration date on Policy Server
2042-01-10-00:18:04.208+09:18I----- 0x14C010AB pdmgrd NOTICE mgr general PDCertAuthority.cpp 329 0x7f7ae9932700
HPDMG0171I The configured certificate life of 1460 days exceeds the policy server's CA certificate life.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSESHP","label":"IBM Security Verify Access Appliance"},"ARM Category":[{"code":"a8m0z000000cxuqAAA","label":"Security Verify Access-\u003EReverse Proxy"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 November 2022
UID
ibm16833876