Solutions

DimCM: SSO: How to create standalone SSO certificates for Dimensions CM and establish a trust with the SSO Server



ID:    S140601
Published:    11 July 2014
Updated:    24 July 2014

Product(s)

  • Dimensions CM
  • Release Manager
  • SBM
 

Description

Dimensions CM can use either SBM or its own SSO Server for authenticating against an LDAP server with CAC enabled. This article documents the following:
 
1. Checking if SSO with CAC is enabled.
2. How to check the expiry date for an existing certificate.
3. Generating A New Certificate
4. Importing the newly generated certificate and establish a trust with the SSO Server, either SBM or Dimensions CM.
 
If your Dimensions CM installation matches the below conditions and you are attempting to log into the Dimensions CM Desktop Client, DMCLI, .NET or Eclipse, an error of  "PRG7700117E Error: Untrusted endorsing credentials" will occur if the certificates are expired.
 
Conditions are:
SSO with CAC is being used (either from SBM or CM)
Default Certificates are being used
 
Symptoms:
 
You will be unable to logon to the Dimensions CM Desktop Client and will get an authentication error "PRG7700117E Error: Untrusted endorsing credentials" similar to below. 
 

Resolution


1. Checking if SSO with CAC is enabled.
 
You will only see messages concerning certificate expiration if their Dimensions server is configured to use SSO with CAC.
The simplest way to check this is to look for the following variables in the Dimensions CM server dm.cfg file.
 
DM_AUTH_TYPE_DBS  SSO
SSO_SERVER_CERTIFICATE  %DM_DFS%cm.pem
 
If these two variables are present then SSO with CAC is in place.
 
2. How to check the expiry date for an existing certificate.
 
The expiry date of the certificate can be checked by performing the following:
 
  • Open a command prompt and browse to the <$DM_ROOT>\cm\prog directory and then run the following command: 
openssl x509 -in "<filename>" -text -noout
where <filename> is the name of the certificate file referenced by the SSO_SERVER_CERTIFICATE variable, for example:
openssl x509 -in "..\dfs\cm.pem" -text -noout
 
Running the above command will produce output concerning the certificate, and the "Validity" section of the output will begin with ("Not Before") and end ("Not After") dates of the certificate are shown.
 
3. Generating A New Certificate
 
The commands below will issue prompts for various values that are required to generate the certificate and associated keys. This information will be unique to your environment, and it is assumed that appropriate information is already known and ready for entry when prompted.
 
Note:  Using the PEM pass phrase or password of serena is recommended but not necessary; if changing, you will need to modify the dm.cfg file variable of SSO_SERVER_PRIVATE_KEY_PASSWORD accordingly.
 
  • Make a backup copy of the following files:
<$DM_ROOT>\cm\dfs\cm.pem
<$TOMCAT>\webapps\TokenService\WEB-INF\conf\truststore.jks
OR
<SBM_Install>\common\jboss405\server\default\deploy\idp.war\WEB-INF\conf\truststore.jks
OR
<SBM_Install>\common\jboss405\server\default\deploy\TokenService.war\WEB-INF\conf\truststore.jks
  • Open a command prompt and go to the <$DM_ROOT>\cm\prog directory.
  • For Windows environments, run the following commands:
set OPENSSL_CONF=C:\Program Files\Serena\Dimensions 12.2\CM\prog\openssl.cnf
  • Verify that the above is set by running the set command and looking for the variable.
  • Now, let's create the new pem files.
openssl req -config openssl.cnf -newkey rsa:2048 -sha1 -keyout serverkey.pem -out serverreq.pem -days 1825
openssl x509 -req -in serverreq.pem -sha1 -extensions v3_ca -signkey serverkey.pem -out servercert.pem -days 1825
  • For UNIX:
cat servercert.pem serverkey.pem > cm.pem
openssl x509 -subject -issuer -noout -in cm.pem
  • For Windows:
copy /b servercert.pem + serverkey.pem cm.pem
openssl x509 -subject -issuer -noout -in cm.pem
  •  The above steps will create 4 new pem files as follows and will be valid for 5 years:
cm.pem
serverkey.pem
serverreq.pem
servercert.pem
  • Now, take the 4 files and copy them into a directory, such as C:\temp\certs.
  • Copy the cm.pem to the <$DM_ROOT>\cm\dfs directory.
 
4. Importing the new certificate into the SSO Server, either SBM or Dimensions CM.
 
The next set of steps is similar for both the SBM and Dimensions SSO Server with the paths being different.  Paths are as follows:
 
  • Dimensions SSO Server
 <$TOMCAT>\webapps\TokenService\WEB-INF\conf
 <$DM_ROOT>\common tools\jre\6.0\bin
  • SBM SSO Server
 <SBM Install directories>\Common\jboss405\server\default\deploy\idp.war\WEB-INF\conf
 <SBM Install directories>\Common\jboss405\server\default\deploy\TokenService.war\WEB-INF\conf
 <SBM Install directories>\Common\jdk1.7\bin
Note:  The jdk portion of the directory will vary according to your SBM release e.g. jdk1.7.  In addition, the idp.war directory and TokenService.war directories will vary according to your SBM release.
 
The password for the truststore.jks by default is changeit.
 
For Dimensions CM Server:
  • Open a new command prompt window and browse to the <$DM_ROOT>\Common Tools\jre\6.0\bin directory. 
    • Verify that the keytool command resides in this directory by running the following:
keytool
This will provide a list of commands.
  • Now, run the following commands, with the keystore password being changeit:
keytool -delete -keystore "C:\Program Files\Serena\Dimensions 12.2\Common Tools\tomcat\6.0\webapps\TokenService\WEB-INF\conf\truststore.jks" -alias cmserver
keytool -import -keystore "C:\Program Files\Serena\Dimensions 12.2\Common Tools\tomcat\6.0\webapps\TokenService\WEB-INF\conf\truststore.jks" -file "C:\temp\certs\servercert.pem" -alias cmserver
  • When done, you will then need to stop and restart the Dimensions CM Listener and Common Tomcat services.

 

For SBM SSO Server:
  • If the SBM SSO Server is on another server, copy the C:\temp\certs\servercert.pem file from the Dimensions CM Server to the SBM Server and note it's location. 
    • For example, on the SBM SSO Server, copy the file to C:\temp\DimCerts.
  • Open a new command prompt window and browse to the <SBM_Install>\Common\jdk1.7\bin directory. 
    • Verify that the keytool command resides in this directory by running the following:
keytool
This will provide a list of commands.
  • Now, run the following commands, with the keystore password being changeit:

keytool -delete -keystore "C:\Program Files\Serena\SBM\Common\jboss405\server\default\deploy\idp.war\WEB-INF\conf\truststore.jks" -alias cmserver

keytool -import -keystore "C:\Program Files\Serena\SBM\Common\jboss405\server\default\deploy\idp.war\WEB-INF\conf\truststore.jks" -file "C:\temp\DimCerts\servercert.pem" -alias cmserver
  • When done, you will need to stop and restart the Serena Common JBoss Server (please refer to the SBM documentation for details on how to do this) as well as the Dimensions CM Listener and Common Tomcat services.

 

Applies To

Dimensions CM 12.2.2

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs