Alerts

Version Manager SSO: Default Certificates for STS, GATEKEEPER and VMSERVER expire starting June 13th 2015



ID:    A67
Published:    10 June 2015
Updated:    12 June 2015

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • PVCS Version Manager
 

Description

This article is applicable only if you are running Version Manager 8.4 or newer and have Project Databases configured to use the SSO/CAC Login Source. 
 
To validate, perform the following steps:
  1. Open the VM Desktop Client
     
  2. Select a Project Database
     
  3. Go to Admin -> Configure Project: Login Source
     
  4. Check if the selected Login Source is SSO/CAC:



     
    • If the configured Login Source is SSO/CAC and the SSO Server(STS) Detail points to a Version Manager SSO server, this article applies.
       
    • If the configured Login Source is SSO/CAC and the SSO Server(STS) Detail points to an SBM SSO server, this article applies as well, though it only impact users of Version Manager Eclipse RIDE or Visual Studio RIDE integrations.
       
    • If the configured Login Source is not SSO/CAC, this article does not apply.
       

 
A number of default SSO (Serena Single Sign-On) certificates used by Version Manager are set to expire:

 

  • vmserver, TrustedCertEntry, Valid from: Wed Jun 16 15:24:25 PDT 2010 until: Mon Jun 15 15:24:25 PDT 2015
    Certificate fingerprint (SHA1): 2F:FD:E5:CE:AE:18:55:C4:B3:79:D5:3F:CF:99:3F:0B:6E:D6:92:3C
     
  • sts, TrustedCertEntry, Valid from: Mon Jun 14 12:26:48 PDT 2010 until: Sat Jun 13 12:26:48 PDT 2015
    Certificate fingerprint (SHA1): 98:C7:D5:D9:61:7D:6F:24:BD:DD:85:A0:F2:79:7F:75:8E:E0:35:7F
     
  • gatekeeper, TrustedCertEntry, Valid from: Mon Jun 14 12:00:22 PDT 2010 until: Sat Jun 13 12:00:22 PDT 2015
    Certificate fingerprint (SHA1): 17:80:3B:F6:4D:47:74:C1:BC:B8:7E:81:F1:17:CC:F8:39:42:65:B4

 

Once the certificates are expired, you can no longer login to Version Manager Project Databases using this SSO server, and will receive errors similar to:
 
  • SSO/CAC Login Error: Connection exception using SSLCLIENTAUTHURL "http://ServerName:PortNum/idp/services/Trust": Authentication failed
  • SSO/CAC Login Error: Connection exception using SSLCLIENTAUTHURL "http://ServerName:PortNum/TokenService/services/Trust": Authentication failed
  • Error: Token issuer not allowed
  • Could not authenticate (Unable to connect via the server-side processing.

 

To continue using SSO after these expiration dates, the certificates must be replaced.
 
Please use the certtool utility from KB article S141200 to generate new certificates that are unique to your environment, which additionally enhances the security of your configuration compared to using default certificates.

 

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs