Central Governance 1.1.3 Users Guide Save PDF Selected topic Selected topic and subtopics All content If CAs change after Transfer CFT registration After registering Transfer CFTs in Central Governance, changing any of the Central Governance certificate authorities requires resubmitting certificates: Transfer CFT Copilot requests a new SSL certificate signed by the new CA. Central Governance sends the requested certificate to Copilot. See CA services and Manage Sentinel keystore updates for more information. Certificate requirements The certificate requirements for new Business and Governance CAs are as follows: You must use the same password for file protection and the private key. The CA must contain the following extensions:X509v3 Basic ConstraintsCA:TRUEX509v3 Key Usage: Digital Signature, Certificate Sign, CRL SignNetscape Cert Type: SSL CA, S/MIME CA, Object Signing CA If you use chain certificates, the JKS certificate file should contain the full chain. It is recommended that you obtain intermediate certificate authorities based on a valid Certificate Provider. Alternatively, you can use self-signed certificate authorities managed by your organization. Note If the new Governance CA is issued by the same certificate authority (CA), verify that the new Governance CA serial number is different from the previous one. Otherwise, the new Governance CA might not be deployed on previously registered Transfer CFTs. Governance CA Changing the governance CA affects registered Transfer CFTs. You must import the new CA in Transfer CFT and schedule the certificate registration. Transfer CFT 3.1.2 For Transfer CFT 3.1.2, stop Copilot and Transfer CFT and do the following: Replace the PassPort CA by running the following Transfer CFT command: PKIUTIL PKICER ID = 'PassPortCA', ROOTCID = 'PassPortCA', ITYPE = 'ROOT', INAME = '<GovernanceCACertificateFile>’, IFORM = 'DER', MODE = 'REPLACE’ Then trigger the certificate registration by resetting the cg.registration_id to -1 with the following command: CFTUTIL UCONFSET ID=cg.registration_id, VALUE=-1 Restart Copilot. Transfer CFT 3.1.3 For Transfer CFT 3.1.3, import the new CA by doing one of the following: Configure the CA by setting the CA Certificate by using the installer for Transfer CFT in configure mode. You must stop Copilot and Transfer CFT before starting the installer in configure mode. You can run the configure command in the Transfer CFT installation directory to start the installer in configure mode. or If you do not want to stop Transfer CFT, use the following commands:PKIUTIL PKICER ID = '<CG CA new alias>', ROOTCID = '<CG CA new alias>', ITYPE = 'ROOT', INAME = '<GovernanceCACertificateFile>’, IFORM = 'DER', MODE = 'CREATE'CFTUTIL UCONFSET ID=cg.ca_cert_id, VALUE='<CG CA alias>,<CG CA new alias>' Then set the parameter cg.certificate.governance.renewal_datetime (format: YYYYMMDDHHMMSS + GMT) to schedule the request at first heartbeat after the specified date and time. The heartbeat interval is specified in seconds in the cg.periodicity parameter (default value 600). For example, schedule the certificate request to start December 23, 2014, at 14:30:00 + GMT by running the following command: CFTUTIL UCONFSET ID=cg.certificate.governance.renewal_datetime, VALUE=20141223143000 Transfer CFT becomes unreachable until the new certificate is received. 3.2.4 SP4 P2 or 3.3.2 SP4 and higher As of Transfer CFT 3.2.4 SP4 P2 or 3.3.2 SP4 and higher, you can use REST API with the certificates renewal procedure to update the new Governance CA on all Transfer CFTs. See also, Renew Central Governance CAs. Update the Governance CA on Sentinel If the Governance CA changes, you must manually update the following files on Sentinel to include the public certificate for the new Governance CA: Sentinel uses... Keystore to update Path to truststore Default certificates truststoreSSO.jks truststorePassport.jks <Sentinel dir>/Sentinel/conf/security/truststoreSSO.jks <Sentinel dir>/Sentinel/conf/security/truststorePassport.jks Custom certificates custom SSL truststore custom PassPort truststore <Sentinel dir>/Sentinel/conf/trkserver.xml Export the public certificate for the new Governance CA: keytool -exportcert -alias <Gov_CA_alias> -file New_gov_CA.cer -keystore <path to governance CA jks>Enter the Governance CA password. Import the public certificate for the Governance CA into the Sentinel SSL truststore:keytool -import -file New_gov_CA.cer -alias New_Gov_CA -keystore <path to SSL truststore>Enter the SSL truststore password.Enter Yes when prompted to trust the certificate. Import the public certificate for the Governance CA into the Sentinel PassPort truststore:keytool -import -file New_gov_CA.cer -alias New_Gov_CA -keystore <path to truststore PassPort>Enter the PassPort truststore password.Enter Yes when prompted to trust the certificate. Business CA If the business CA is changed, a new business SSL certificate can be requested. The new certificate is signed by the new CA and used in secured flows. Schedule a new certificate request starting with the time specified in the Transfer CFT parameter cg.certificate.business.renewal_datetime (format: YYYYMMDDHHMMSS + GMT). Make sure the new business CA is known by all Transfer CFT flow partners before the certificate is renewed. Central Governance | Document Directory Related Links
If CAs change after Transfer CFT registration After registering Transfer CFTs in Central Governance, changing any of the Central Governance certificate authorities requires resubmitting certificates: Transfer CFT Copilot requests a new SSL certificate signed by the new CA. Central Governance sends the requested certificate to Copilot. See CA services and Manage Sentinel keystore updates for more information. Certificate requirements The certificate requirements for new Business and Governance CAs are as follows: You must use the same password for file protection and the private key. The CA must contain the following extensions:X509v3 Basic ConstraintsCA:TRUEX509v3 Key Usage: Digital Signature, Certificate Sign, CRL SignNetscape Cert Type: SSL CA, S/MIME CA, Object Signing CA If you use chain certificates, the JKS certificate file should contain the full chain. It is recommended that you obtain intermediate certificate authorities based on a valid Certificate Provider. Alternatively, you can use self-signed certificate authorities managed by your organization. Note If the new Governance CA is issued by the same certificate authority (CA), verify that the new Governance CA serial number is different from the previous one. Otherwise, the new Governance CA might not be deployed on previously registered Transfer CFTs. Governance CA Changing the governance CA affects registered Transfer CFTs. You must import the new CA in Transfer CFT and schedule the certificate registration. Transfer CFT 3.1.2 For Transfer CFT 3.1.2, stop Copilot and Transfer CFT and do the following: Replace the PassPort CA by running the following Transfer CFT command: PKIUTIL PKICER ID = 'PassPortCA', ROOTCID = 'PassPortCA', ITYPE = 'ROOT', INAME = '<GovernanceCACertificateFile>’, IFORM = 'DER', MODE = 'REPLACE’ Then trigger the certificate registration by resetting the cg.registration_id to -1 with the following command: CFTUTIL UCONFSET ID=cg.registration_id, VALUE=-1 Restart Copilot. Transfer CFT 3.1.3 For Transfer CFT 3.1.3, import the new CA by doing one of the following: Configure the CA by setting the CA Certificate by using the installer for Transfer CFT in configure mode. You must stop Copilot and Transfer CFT before starting the installer in configure mode. You can run the configure command in the Transfer CFT installation directory to start the installer in configure mode. or If you do not want to stop Transfer CFT, use the following commands:PKIUTIL PKICER ID = '<CG CA new alias>', ROOTCID = '<CG CA new alias>', ITYPE = 'ROOT', INAME = '<GovernanceCACertificateFile>’, IFORM = 'DER', MODE = 'CREATE'CFTUTIL UCONFSET ID=cg.ca_cert_id, VALUE='<CG CA alias>,<CG CA new alias>' Then set the parameter cg.certificate.governance.renewal_datetime (format: YYYYMMDDHHMMSS + GMT) to schedule the request at first heartbeat after the specified date and time. The heartbeat interval is specified in seconds in the cg.periodicity parameter (default value 600). For example, schedule the certificate request to start December 23, 2014, at 14:30:00 + GMT by running the following command: CFTUTIL UCONFSET ID=cg.certificate.governance.renewal_datetime, VALUE=20141223143000 Transfer CFT becomes unreachable until the new certificate is received. 3.2.4 SP4 P2 or 3.3.2 SP4 and higher As of Transfer CFT 3.2.4 SP4 P2 or 3.3.2 SP4 and higher, you can use REST API with the certificates renewal procedure to update the new Governance CA on all Transfer CFTs. See also, Renew Central Governance CAs. Update the Governance CA on Sentinel If the Governance CA changes, you must manually update the following files on Sentinel to include the public certificate for the new Governance CA: Sentinel uses... Keystore to update Path to truststore Default certificates truststoreSSO.jks truststorePassport.jks <Sentinel dir>/Sentinel/conf/security/truststoreSSO.jks <Sentinel dir>/Sentinel/conf/security/truststorePassport.jks Custom certificates custom SSL truststore custom PassPort truststore <Sentinel dir>/Sentinel/conf/trkserver.xml Export the public certificate for the new Governance CA: keytool -exportcert -alias <Gov_CA_alias> -file New_gov_CA.cer -keystore <path to governance CA jks>Enter the Governance CA password. Import the public certificate for the Governance CA into the Sentinel SSL truststore:keytool -import -file New_gov_CA.cer -alias New_Gov_CA -keystore <path to SSL truststore>Enter the SSL truststore password.Enter Yes when prompted to trust the certificate. Import the public certificate for the Governance CA into the Sentinel PassPort truststore:keytool -import -file New_gov_CA.cer -alias New_Gov_CA -keystore <path to truststore PassPort>Enter the PassPort truststore password.Enter Yes when prompted to trust the certificate. Business CA If the business CA is changed, a new business SSL certificate can be requested. The new certificate is signed by the new CA and used in secured flows. Schedule a new certificate request starting with the time specified in the Transfer CFT parameter cg.certificate.business.renewal_datetime (format: YYYYMMDDHHMMSS + GMT). Make sure the new business CA is known by all Transfer CFT flow partners before the certificate is renewed. Central Governance | Document Directory