Highlighted
Respected Contributor.
Respected Contributor.
121 views

After renewing IDM certificate SAML doesn't work

Hi everybody,

After following the procedure for renewing IDM certificate our SAML with ADFS doesn't work - user is redirected to ADFS but there is no prompt for username and password. Fortunately using the old spring_saml_metadata.xml file is possible and users are working. Has anyone completed the IDM certificate renewal procedure?

I have noticed that in the old (and good one) spring_saml_metadata the CNof the certificate is SMAXIDM and in the new (and bad one) this is LOCALHOST. But in the procedure it is not explained what it should be.

And what do you think what will happen when the IDM certificate will expire?

 

In IDM logs there are some related messages which I cannot understand:

...

2020-08-14T14:15:00.122+0200 ERROR [http-nio-8080-exec-2] com.hp.ccue.identity.spring.preauth.PreAuthFilter - Incoming HTTP request has invalid X-Auth-Token header. Aborting pre auth processing. URL: /idm-service/api/scim/organizations/902370360_db/users, The token has expired

...

2020-08-14T14:15:02.935+0200 INFO [https-jsse-nio-8443-exec-5] org.springframework.security.saml.log.SAMLDefaultLogger - AuthNRequest;SUCCESS;172.16.98.96;https://....../idm-service/saml/metadata;http://......./adfs/services/trust;;;

Regards, Darek

0 Likes
7 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Please, answer.

Has anyone completed the IDM certificate renewal procedure?

Regards, Darek
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

For anyone interested:

The procedure on SMAX Doc portal is only for CDF IdM Certificate (that is for Administrators).

For Suite (that is for End Users and Operators) IdM normally auto-generates certificate and no action is required.

But in our system we have modified IdM infrastructure with custom IdM certificate, in this case we should renew custom certificate manually.

Regards, Darek

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi,

Here is the procedure in order to renew the certificate file, we can use the following workaround:

Connect to the SMAX IDM instance database.
Run the SQL commands to get DB config items' values and backup them:
select name,value from system_resource_config where name like '%keystore%';

Clean up the old values by run the SQL commands to IdM DB:
update system_resource_config set value = '' where name = 'idm.saml.keystore.password';

update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultKey.name';

update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultPublicKey';

update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultPrivateKey';

update system_resource_config set value = '' where name = 'idm.saml.keystore.defaultCertificate';

Then restart the SAMX IdM Pod.

Thanks & Regards,

Dani Basavaraj

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Thanks, Dani

It seems like a fragment of official procedure for renewing  IdM Certificate for CDF. We were looking for Suite IdM Certificate renewing. Now it is closed by Support action.

Regards, Darek

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Dear Darek,

Can you please share steps/solution used for sorting out this issue.It will be help for others.

Thanks & Regrads,

Dani Basavaraj

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi Dani,

I 've already asked  Micro-Focus Support about it and I'm not allowed to share the detailed instructions.

Regards, Darek

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Dear Darek,

Thank you.

Regards,

Dani Basavaraj

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.