Solutions

SBM 10.1.1.4+ and SBM 11.x: How to generate new signed certificate trust keys for SBM and copy them to additional servers as needed (Generating SSO certificates)



ID:    S142197
Published:    29 June 2017
Updated:    12 June 2020

Operating System(s)

  • All Windows

Product(s)

  • SBM
 

Description

IMPORTANT: This article applies to SBM 10.1.1.4+ and SBM 11.x. For SBM 10.1 - 10.1.1.3, see KB S139077. For SBM 2009 R4 (or older), see KB S137884

 

SBM is installed with sample SSO certificates. These certificates are used internally by SBM irrelevant of whether SSO is used to manage user sessions. If the certificates expire, users may see the following error after attempting to login:

  Failed to verify signature

Also, prior to the certificates expiring, you will be getting warnings similar to these in Configurator:

The 'Serena SSO IdP' certificate that is used by SSO STS expires in 2 month(s). You must update this certificate before it expires.
The 'Serena SSO IdP Login UI' certificate that is used by SSO Federation Server expires in 2 month(s). You must update this certificate before it expires.
The 'Serena SSO Gatekeeper' certificate that is used by SSO Gatekeeper expires in 2 month(s). You must update this certificate before it expires.

You can verify your certificates by looking in SBM Configurator on the Security screen:

 

Resolution

To fix the problem and properly secure your system, you must generate new SSO trust key pairs by following these instructions, depending on your installation type:

 

Standalone Server Installation

Follow these instructions if ALL of the following are true:

  • All components are installed on one server

  • The server is not sharing a Repository with any other server.

 

The steps for a standalone server installation are as follows:

  1. Open Configurator, and go to Security.
  2. On the Secure SBM tab, click "Generate All"
  3. Apply the changes.
  4. If other applications are using this SBM server for single-sign on, read the "Integrations" section at the bottom of this document.

 

Multi-Server Installation (Most Common Setup)

Follow these instructions if EITHER of the following are true:

  • SBM components are installed across multiple servers (e.g. Application Engine and Notification Server are installed on separate servers)
    -- OR --

  • There are multiple servers sharing a single Repository.

 

The steps for a multi-server installation are as follows:

  1. Open Configurator on any one of the servers, and go to Security.
  2. On the Secure SBM tab, click "Generate All".
  3. Apply the changes.
  4. Still on the Secure SBM tab, click "Export All". This will export the new certificates to a .zip file. Chose a location for the file.
  5. When prompted, enter a password for the keystores. The default password is "changeit".
  6. Copy the .zip file to the second server.
  7. On the second server, open Configurator and go to Security.
  8. On the Secure SBM tab, click "Import All". Select the .zip file that was copied from the first server.
  9. When prompted, enter the same password used earlier.
  10. Apply the changes.
  11. Repeat until all servers have been updated with the new certificates.
  12. If other applications are using any of the SBM servers for single-sign on, read the "Integrations" section at the bottom of this document.

 

Integrations with other Serena applications:

If SBM is being used as the single-sign on (SSO) engine for any other Serena applications, the new certificate will need to be loaded into those applications. Below are links to those steps.

  • Dimensions CM: Instructions are located KB S138538. Because you have already generated the new certificates for SBM you can skip the first bullet of step 1. 
  • Version Manager (PVCS): Instructions can be found in  KB S141200 
  • Dimensions RM: Instructions can be found in solution S138916.
  • Deployment Automation (DA):Instructions can be found in solution S140637.

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs