Regenerate certificates

If a private key in the PDCA certificate is compromised, regenerate the key file. We might change Security Verify Access to a different compliance type that requires certificates with different bit strengths or signature algorithms. In this case, we must regenerate the key file. Each key file contains a list of trusted certificate authorities (CAs). Each key file except ivmgrd.kdb has the SVA certificate authority (PDCA) certificate as a trusted certificate authority. This certificate authority signs all the other SVA certificates. This certificate authority is created during policy server configuration and is placed in the ivmgrd.kdb file. Protect the ivmgrd.kdb file to keep the private key in the PDCA certificate from being compromised. If the private key is compromised, the private key, each key file, and each certificate in the domain must be regenerated.

The IBM Security Verify Access Runtime for Java also stores the PDCA certificate. If this certificate is compromised and must be regenerated, reconfigure all servers using IBM Security Verify Access Runtime for Java. Regenerate the key file for all resource managers that were previously configured with the SvrSslCfg class. Reconfigure these resource managers.

Steps

1. Stop the policy server.

2. Regenerate the PDCA certificate and policy server certificate by generating a new ivmgrd.kdb file with the mgrsslcfg -config utility.

3. Regenerate the ISAM runtime certificates on the policy server by running the bassslcfg -config utility.

4. After obtaining the certificate authority certificate, we can choose to automatically download the certificate authority certificate or manually copy the file.

   • If auto-download is set to on (enabled) and the policy server is running, the certificate authority certificate is automatically obtained. By default, auto-download is enabled.

   • If auto-download is set to off (disabled), the base-64 DER encoded version of the PDCA certificate must be copied to the system. This file is stored as pdcacert.b64 on the policy server.

5. On each runtime system, run the bassslcfg -config utility.

6. On each authorization server in the domain, regenerate its key files by running the svrsslcfg -config utility. The policy server must be running. This command updates both the server certificate for the authorization server and its trusted certificate (the new PDCA certificate).

7. On each resource manager in the domain, regenerate its key files by running the svrsslcfg -config utility. The policy server must be running. This command updates both the server certificate for the authorization server and its trusted certificate, the new PDCA certificate.

8. On each Security Verify Access Java runtime system, run...
   • pdjrtecfg -unconfig
   • pdjrtecfg -config utility
   • com.tivoli.pd.jcfg.SvrSslCfg -action replcert

• Reconfigure the PDCA on the policy server
  
• Reconfigure the certifications of ISAM Java applications
  
• Reconfigure the PDCA on the runtime systems
  
• Transfer the PDCA certificate to other systems
  

Parent topic: Certificate and password management