Solutions

DimCM: SSO: How to create standalone SSO certificates for Dimensions CM and establish a trust with the SSO Server



ID:    S142681
Published:    07 September 2018
Updated:    18 September 2018

Product(s)

  • Dimensions CM
 

Description

In some cases, the cm.pem file may need to be replaced if using Dimensions CM SSO Server.  This file is what authorizes the Desktop Client to access the Dimensions Server.

  

This document is for Dimensions CM 14.x and later versions and/or SBM 11.3.x. SBM 11.4 does contain a newer cm.pem file which may need to be applied to the Dimensions CM Server. If using older versions of Dimensions CM, please see Knowledgebase Solution S140601.
Dimensions CM can use either SBM or its own SSO Server for authenticating against an LDAP server with or without CAC/Smart Cards enabled. This article documents the following:
 
1. Checking if SSO is enabled.
2. How to check the expiry date for an existing certificate.
3. Generating A New Certificate
4. Importing the newly generated certificate and establish a trust with the SSO Server, either SBM or Dimensions CM.
 
If your Dimensions CM installation matches the below conditions and you are attempting to log into the Dimensions CM Desktop Client, DMCLI, .NET or Eclipse, an error of 
"PRG7700117E Error: Untrusted endorsing credentials" will occur if the certificates are expired.
 
Conditions are:
SSO Server with or without CAC/SmartCard is being used (either from SBM or CM)
Default Certificates are being used
 
Symptoms:
 
You will be unable to logon to the Dimensions CM Desktop Client and will get an authentication error "PRG7700117E Error: Untrusted endorsing credentials".
 

Resolution

1. Checking if SSO with CAC is enabled.
 
You will only see messages concerning certificate expiration if their Dimensions server is configured to use SSO.

The simplest way to check this is to look for the following variables in the Dimensions CM server dm.cfg file.

 
DM_AUTH_TYPE_DBS  SSO
SSO_SERVER_CERTIFICATE  %DM_DFS%cm.pem

 
If these two variables are present then SSO is in place. 
 
2. How to check the expiry date for an existing certificate.
 
The expiry date of the certificate can be checked by performing the following:
 
Open a command prompt and browse to the <$DM_ROOT>\cm\prog directory and then run the following command: 

 openssl x509 -in "<filename>" -text -noout

where <filename> is the name of the certificate file referenced by the SSO_SERVER_CERTIFICATE variable, for example:

 openssl x509 -in "..\dfs\cm.pem" -text -noout
 
Running the above command will produce output concerning the certificate, and the "Validity" section of the output will begin with ("Not Before") and end ("Not After") dates of the certificate are shown.

3.  Paths

The installation path for Dimensions CM 14.x, can be different depending on the version installed.  Please note the default installation paths as follows for the various versions:

Dimensions CM 14.1.x and 14.2.x
 For the Dimensions installation:
   C:\Program Files\Serena\Dimensions 14.1\cm
   C:\Program Files\Serena\Dimensions 14.2\cm
 For Tomcat:
   C:\Program Files\Serena\common\Tomcat\7.0\
Dimensions CM 14.3.x
 For the Dimensions installation:
   C:\Program Files\Serena\Dimensions 14.3\cm
 For Tomcat:
   C:\Program Files\Serena\common\Tomcat\8.0\
Dimensions CM 14.4.x
 For the Dimensions installation:
   C:\Program Files\Micro Focus\Dimensions 14.4\cm
 For Tomcat:
   C:\Program Files\Micro Focus\common\Tomcat\8.5\
 For JRE for use with Tomcat:
   C:\Program Files\Micro Focus\common\jre\8.0\

4. Generating A New Certificate
 
The commands below will issue prompts for various values that are required to generate the certificate and associated keys. This information will be unique to your environment, and it is assumed that appropriate information is already known and ready for entry when prompted.
 
Note:  Using the PEM pass phrase or password of serena is recommended but not necessary; if changing, you will need to modify the dm.cfg file variable of SSO_SERVER_PRIVATE_KEY_PASSWORD accordingly.
 
• Make a backup copy of the following files:

  <$DM_ROOT>\cm\dfs\cm.pem

  <$TOMCAT>\webapps\TokenService\WEB-INF\conf\truststore.jks
 OR
  <$TOMCAT>\webapps\IDP\WEB-INF\conf\truststore.jks

Open a command prompt and go to the <$DM_ROOT>\cm\prog directory.
• For Windows environments, run the following commands:
 Note:  Where 14.x is the version of Dimension CM you are using, for instance, 14.1, 14.2, or 14.3.

set OPENSSL_CONF=C:\Program Files\Serena\Dimensions 14.x\CM\prog\openssl.cnf

 OR

 set OPENSSL_CONF=C:\Program Files\Micro Focus\Dimensions 14.4\CM\prog\openssl.cnf

• Verify that the above is set by running the set command and looking for the variable.
• Now, let's create the new pem files.

  openssl req -config openssl.cnf -newkey rsa:2048 -sha1 -keyout serverkey.pem -out serverreq.pem -days 1825
  openssl x509 -req -in serverreq.pem -sha1 -extensions v3_ca -signkey serverkey.pem -out servercert.pem -days 1825

• For UNIX:

  cat servercert.pem > cm.pem
  cat servercert.pem serverkey.pem > server.pem
  openssl x509 -subject -issuer -noout -in server.pem

• For Windows:

  copy /b servercert.pem cm.pem
  copy /b servercert.pem + serverkey.pem server.pem
  openssl x509 -subject -issuer -noout -in server.pem

•  The above steps will create 5 new pem files as follows and will be valid for 5 years:

  cm.pem
  server.pem
  serverkey.pem
  serverreq.pem
  servercert.pem

• Now, take the 5 files and copy them into a directory, such as C:\temp\certs.
• Copy the cm.pem to the <$DM_ROOT>\cm\dfs directory.
 
5. Importing the new certificate into the SSO Server, either SBM or Dimensions CM.
 
Dimensions CM SSO Server.

For a Dimensions CM SSO Server, the paths are as follows:
• Dimensions SSO Server

   <$TOMCAT>\webapps\TokenService\WEB-INF\conf
   <$DM_ROOT>\common tools\jre\6.0\bin

 OR

  <$TOMCAT>\webapps\idp\WEB-INF\conf
  <$DM_Install directory>\common\jre\8.0\bin
 
The password for the truststore.jks by default is changeit.
 
• Open a new command prompt window and browse to the <$DM_ROOT>\Common \jre\x.0\bin directory. 
o Verify that the keytool command resides in this directory by running the following:

keytool

This will provide a list of commands.
• Now, run the following commands, with the keystore password being changeit: 

  keytool -delete -keystore "C:\Program Files\Micro Focus\Dimensions 14.4\Common\tomcat\8.0\webapps\idp\WEB-INF\conf\truststore.jks" -alias cmserver

  keytool -import -keystore " C:\Program Files\Micro Focus\Dimensions 14.4\Common\tomcat\8.0\webapps\idp\WEB-INF\conf\truststore.jks" -file "C:\temp\certs\servercert.pem" -alias cmserver

• When done, you will then need to stop and restart the Dimensions CM Listener and Common Tomcat services.

 

SBM SSO Server:

• If the SBM SSO Server is on another server, copy the C:\temp\certs\cm.pem file from the Dimensions CM Server to the SBM Server and note its location. 
o For example, on the SBM SSO Server, copy the file to C:\temp\DimCerts. 

 
Within the SBM Configurator, go to Security > Secure Integrations.  Select Dimensions CM from the Select an Integration pull down menu.
Then using the links for the Trusted Certificate, select Import Certificate and then browse to the cm.pem file location to import.
When done, you will need to stop and restart the Serena Common JBoss or Tomcat Server (please refer to the SBM documentation for details on how to do this) as well as the Dimensions CM Listener and Micro Focus Common Tomcat services.

Applies To

Dimensions CM 14.x

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs