Procedure to update the Sterling Secure Proxy (SSP) Factory Certificate This is a quick procedure to update the Sterling Secure Proxy factory certificate which expires December 1st, 2017. Background: The Sterling Secure Proxy (SSP) factory certificate that comes with the product is expiring Friday, December 1, 2017 at 10:54 AM EST. The factory certificate is shipped as the default certificate for the secure connections to the SSP Configuration Manager (CM) GUI and between the SSP CM and the Engine. Similar to replacing the "admin" userid which is shipped with the product, the factory certificate is intended to be replaced by the Customer once the product is up. ACTION: If you are still using the old factory certificate for the CM and the Engine you must replace it before December 1, 2017. Failure to do so will result in the SSP CM being unable to monitor or push new configurations to the Engine and users being unable to login to the CM. Note: SSP Engines will continue to run with the configuration they have at the certificate expiration time. But if they are brought down and back up, they will not be able to load a new configuration from the CM. How to know if you are vulnerable: a. Navigate to the /bin directory in the CM server b. On UNIX, issue ./configureCmSsl.sh -s On Windows, issue ./configureCmSsl.sh -s c. You are vulnerable if the Server and Client alias point to "factory" and the factory certificate is only valid to Fri Dec 01, 2017: ... Server alias : factory Client alias : factory ... validity: Valid from [Tue Dec 04 10:54:13 EST 2007] to [Fri Dec 01 10:54:13 EST 2017] Instructions: There is a new factory certificate that expires in 2037 on our Fix Central website that you can download along with this README file. Here is the link: https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.3.0&platform=All&function=all On the Sterling Secure Proxy Configuration Manager system: 1. Copy the SSPFactoryKeyCert2037.txt file you downloaded from Fix Central to the /bin directory. 2. Make a backup of the directory. 3. Stop the CM by running the following command from the /bin directory: UNIX: ./stopCM.sh mode=auto Windows: .\stopCM.bat mode=auto (or stop the service) 4. From the /bin directory run this command to update the CM and Web Server factory certificates: UNIX: ./configureCmSsl.sh -u commonCert=SSPFactoryKeyCert2037.txt commonCertAlias=factory2037 Windows: .\configureCmSsl.bat -u commonCert=SSPFactoryKeyCert2037.txt commonCertAlias=factory2037 Expected output with responses: IBM Sterling Secure Proxy V3.4.3.0 Copyright (c) 2017 IBM Enter the system passphrase: [Your SSP system passphrase] Loading configuration files... Backing up configuration files... Updating configuration... Enter the password for the common key-certificate: [password] <- yes, password The output should include these lines: Server alias : factory2037 Client alias : factory2037 5. From the /bin directory run this command to create an export file to be used to import the new factory certificate into the SSP engine: UNIX: ./configureCmSsl.sh -e file=factory2037.export.file Windows: .\configureCmSsl.bat -e file=factory2037.export.file Expected output with responses: IBM Sterling Secure Proxy V3.4.3.0 Copyright (c) 2017 IBM Enter the system passphrase: [Your SSP system passphrase] Loading configuration files... ******** performing expoort ..... Enter password to encrypt export file: [Any password] "Remember this password for step 10" ********** protocol : TLSv1.1 ********** protocol #2: TLSv1.1 Configuration exported. 6. Start the CM by running the following command from the /bin directory: UNIX: ./startCM.sh Windows: .\startCM.bat (or start the service) For each SSP Engine controlled by the above SSPCM: 7. Copy the factory2037.export.file that was created in step 5 from the /bin directory to the /bin directory on the SSP engine server. 8. Make a backup of the directory. 9. Stop the Engine by running the following command from the /bin directory: UNIX: ./stopEngine.sh mode=auto Windows: .\stopEngine.bat mode=auto (or stop the service) 10. From the /bin directory run this command to import the factory2037.export.file copied in step 7: UNIX: ./configureEngineSsl.sh -i file=factory2037.export.file engCertAlias=factory2037 Windows: .\configureEngineSsl.bat -i file=factory2037.export.file engCertAlias=factory2037 Expected output with responses: IBM Sterling Secure Proxy V3.4.3.0 Copyright (c) 2017 IBM Enter the system passphrase: [Your SSP system passphrase] Loading configuration files... Backing up configuration files... Enter password to decrypt import file: [Password entered in step 5] Importing configuration... Configuration imported. The output should include these lines: Server alias : factory2037 Client alias : factory2037 11. Start the Engine by running the following command from the /bin directory: UNIX: ./startEngine.sh Windows: .\startEngine.bat (or start the service)