Updating the SP signing certificate
You might need to update the service provider certificate if it has expired. This topic describes how to update the certificate on a single Remedy SSO server, and how to update the certificate if you have Remedy SSO deployed in an HA cluster.
To update the SP certificate on Remedy SSO server
To update Remedy SSOservice provider (SP) certificate, perform the following tasks:
The paths specified in the following steps are for Windows OS. You need to find out the corresponding path in the Linux OS.
The file name for the java keystore should be cot.jks.
To update the java keystore cot.jks file
Perform the following steps on the system where Remedy SSO server is installed.
- Go to the <tomcat>\rsso\WEB-INF\classes directory.
- Locate the cot.jks file and take a backup of the file.
Run the keytool command to delete the alias ‘sp-signing’ from the existing cot.jks file.
keytool -delete -alias test2 -keystore cot.jks
Create a new keypair with alias ‘test2’ in the existing cot.jks file.
keytool -keystore cot.jks -genkey -alias test2 -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730
Export ‘test2’ certificate in the PEM format.
keytool -export -keystore cot.jks -alias test2 -file test2.pem –rfcThe system creates a test2.pem file.
- Take a backup of the updated cot.jks file.
If you have other Remedy SSO server instances in the same cluster, replace the cot.jks file in the <tomcat>\rsso\WEB-INF\classes folder with the updated cot.jks file.
To update the signing certificate in Remedy SSO Admin Console
- Log in to Remedy SSO Admin Console.
- Go to General > Advanced tab.
- Enter the following details:
- Keystore File
- Keystore Password
- Signing Key Alias
- Click Save.
- Wait for 15 seconds, view the realm using SAML.
- On the Authentication tab, click View Metadata. Verify the SP metadata is updated with the new signing certificate.
To update the SP metadata at the IdP side
- Export the SP metadata and save it in a local file.
- Share the exported SP metadata and the new signing certificate information with the IdP team for updating.
If ADFS is the IdP, add the new signing certificate:
- Open Properties dialog of the relying party for Remedy SSO.
- Go to the Signature tab.
- Click Add.
- Select the new signing certificate file.
- Click OK.
To update the SP certificate in an HA environment
To achieve a zero-down time in a cluster environment for the signing certificate update when Active Directory Federated (ADFS) Services is the IdP, perform the following steps:
- Put down one Remedy SSO server instance and update the java keystore cot.jks file on it.
- Update the signing certificate in Remedy SSO Admin Console.
- Update the SP metadata at the IdP side. Note that you must not delete the old signing certificate.
- Make Remedy SSO server instance up again.
- Repeat step 1 to step 4 for all Remedy SSO server instances.
- After the keystore cot.jks is updated on all Remedy SSO server instances, remove the old signing certificate on Remedy SSO relying party at ADFS side.