Reconfigure the certifications of ISAM Java applications

To use the new policy server certificate authority, you must reconfigure the PDCA in the configured Java™ run time. We must also reconfigure the certificates of any Security Verify Access Java application that uses the IBM Security Verify Access Runtime for Java. First, update the IBM Security Verify Access Runtime for Java configuration. Then, update the certificate of each Security Verify Access Java application that uses the run time.

Before you begin

Back up all the files in [JRE]/PolicyDirector. For WebSphere Application Server version 8.0 and later, the directory is [WAS_HOME]/tivoli/tam/PolicyDirector.

This procedure updates the IBM Security Verify Access Runtime for Java files. Then it updates the individual Security Verify Access Java components with the IBM Security Verify Access Runtime for Java.

The IBM Security Verify Access Runtime for Java files that must be updated are the PDCA.ks file and the ssl-compliance property in the PD.properties file. There are several ways we can reconfigure the certification of an ISAM Java application:

  • Write the PDCA.ks file from an updated IBM Security Verify Access Runtime for Java into the location the pdca-url entry specifies.
  • Also update the ssl-compliance entry, if it exists. For example:
    ssl-compliance=none

    Change the value to the appropriate compliance level for Java application that we configured with ISAM, version 7.0. For example:

    ssl-compliance=suite-b-192

    Steps

    1. Update the PDCA.ks and PD.properties files by unconfiguring the Java runtime and then reconfiguring it.
      • This step removes all files in the [JRE]/PolicyDirector directory and then re-creates the files. For WebSphere Application Server version 8.0 and later, the directory is [WAS_HOME]/tivoli/tam/PolicyDirector.
      • If any file under this directory was customized, then we must reapply the customization to the new file.
      • At this step, do not unconfigure the ISAM Java applications configured to use the JRE.

      We might need more information about configuring or unconfiguring Security Verify Access run time for Java. See the pdjrtecfg command utility in the IBM Security Verify Access for Web Command Reference.

    2. Update the WebSphere profile if:
      • The Security Verify Access compliance type changed and
      • The Security Verify Access Java applications run in a WebSphere profile.
      The FIPS security mode must match the ISAM compliance level.
    3. Stop any processes that are using the JRE. For example, stop any WebSphere profiles that are using the JRE.
    4. Update the ssl.client.props file of the WebSphere profile to allow WebSphere client applications to communicate with the profile if:
      • You are using a WebSphere Java run time and
      • You changed the FIPS security mode of the run time.
      o
    5. Regenerate the certificates of each SvrSslCfg Security Verify Access Java application. This example illustrates how to reconfigure the ISAM WebSphere Portal Manager certificates: 
      java com.tivoli.pd.jcfg.SvrSslCfg -action replcert -admin_id sec_master 
 -admin_pwd -cfg_file /opt/PolicyDirector/java/export/pdwpm/pdwpm.properties

    6. Start the JRE and ensure that it operates properly in the updated Java run time. For WebSphere, start the WebSphere profile to start the JRE.


    What to do next

    Repeat this procedure for any other ISAM Java run times on the system.

    Parent topic: Regenerating certificates