Reconfigure the PDCA on the policy server

If the certificate is compromised or expires, reconfigure the PDCA on the policy server.

Steps

  1. Stop all Security Verify Access services that are running on the system :
    • AIX , Linux , and Solaris operating systems:
      pd_start stop

  2. Windows operating systems:
    drive:\net stop servername
    Stop each Security Verify Access service. For example, to stop the policy server, type:
    C:\net stop IVMgr

  3. Change to the directory where the key files are located. Assuming the default directory on a AIX, Linux, or Solaris operating system, enter the following command: 
    cd /var/PolicyDirector/keytab

  4. Rename the ivmgrd.kdb key file, ivmgrd.sth stash file, and pdcacert.b64 PDCA file s: 
    mv ivmgrd.kdb ivmgrd.kdb.old
mv ivmgrd.sth ivmgrd.sth.old
mv pdcacert.b64 pdcacert.b64.old

  5. Configure the policy manager server to create a new key file and stash file. For example, enter the command but replace the value for the compliance option.
    /opt/PolicyDirector/sbin/mgrsslcfg -config -D yes -C compliance

  6. Change the ownership of the newly created key file, stash file, and certificate to ivmgr:ivmgr s: 
    chown ivmgr:ivmgr /var/PolicyDirector/keytab/ivmgrd.kdb
chown ivmgr:ivmgr /var/PolicyDirector/keytab/ivmgrd.sth
chown ivmgr:ivmgr /var/PolicyDirector/keytab/pdcacert.b64

  7. Configure the ISAM runtime with the bassslcfg -config utility. For example, enter the command but replace the values for the -c, -h , and -C options. 
    bassslcfg -config -C {compliance} -h myhostname 
-c /var/PolicyDirector/keytab/pdcacert.b64

  8. Change the ownership of the new key file and stash file to ivmgr:ivmgr by entering the following commands: 
    chown ivmgr:ivmgr /var/PolicyDirector/keytab/pd.kdb
chown ivmgr:ivmgr /var/PolicyDirector/keytab/pd.sth

  9. Start the ISAM services on the computer : 
    /opt/PolicyDirector/bin/pdmgrd

  10. Update the certificates of the authorization, proxy, and resource servers and other C API applications that use svrsslcfg -config : 
    svrsslcfg -chgcert

    This example shows the command to update the certificate on the authorization server:

      svrsslcfg -chgcert -f /opt/PolicyDirector/etc/[instance-]ivacld.conf -P *** -A sec_master

  11. Start the updated ISAM servers : 
    pd_start restart

  12. Reconfigure the certificates of any other ISAM Java™ applications on the policy server. See Reconfiguring the certifications of ISAM Java applications.


What to do next

After updating the PDCA on the policy server, we must update the certificates on all other systems that run ISAM servers and applications.

The management environment must be running.

After regenerating the PDCA certificate on the policy server, we might need to copy the PDCA certificate to each runtime computer in the domain. If auto-download is enabled, we do not need to copy the file.

Parent topic: Regenerating certificates