Updating the SP signing certificate
To update the SP certificate on Remedy SSO server
To update Remedy SSOservice provider (SP) certificate, perform the following tasks:
To update the java keystore cot.jks file
Perform the following steps on the system where Remedy SSO server is installed.
- Go to the <tomcat>\rsso\WEB-INF\classes directory.
- Locate the cot.jks file and take a backup of the file.
- Run the keytool command to delete the alias ‘sp-signing’ from the existing cot.jks file.
keytool -delete -alias test2 -keystore cot.jks - Create a new keypair with alias ‘test2’ in the existing cot.jks file.
keytool -keystore cot.jks -genkey -alias test2 -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730 - Export ‘test2’ certificate in the PEM format.
keytool -export -keystore cot.jks -alias test2 -file test2.pem –rfcThe system creates a test2.pem file. - Take a backup of the updated cot.jks file.
If you have other Remedy SSO server instances in the same cluster, replace the cot.jks file in the <tomcat>\rsso\WEB-INF\classes folder with the updated cot.jks file.
To update the signing certificate in Remedy SSO Admin Console
- Log in to Remedy SSO Admin Console.
- Go to General > Advanced tab.
- Enter the following details:
- Keystore File
- Keystore Password
- Signing Key Alias
- Click Save.
- Wait for 15 seconds, view the realm using SAML.
- On the Authentication tab, click View Metadata. Verify the SP metadata is updated with the new signing certificate.
To update the SP metadata at the IdP side
- Export the SP metadata and save it in a local file.
- Share the exported SP metadata and the new signing certificate information with the IdP team for updating.
If ADFS is the IdP, add the new signing certificate:
- Open Properties dialog of the relying party for Remedy SSO.
- Go to the Signature tab.
- Click Add.
- Select the new signing certificate file.
- Click OK.
To update the SP certificate in an HA environment
To achieve a zero-down time in a cluster environment for the signing certificate update when Active Directory Federated (ADFS) Services is the IdP, perform the following steps:
- Put down one Remedy SSO server instance and update the java keystore cot.jks file on it.
- Update the signing certificate in Remedy SSO Admin Console.
- Update the SP metadata at the IdP side. Note that you must not delete the old signing certificate.
- Make Remedy SSO server instance up again.
- Repeat step 1 to step 4 for all Remedy SSO server instances.
- After the keystore cot.jks is updated on all Remedy SSO server instances, remove the old signing certificate on Remedy SSO relying party at ADFS side.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*