Signiant Support

Tasks to perform when using Comodo certificates in order that agents can still renew certificates Print


Synopsis
Signiant works with the certificate authority Comodo to supply globally recognized certificates to the web servers running on Signiant managers. Although the focus is to import the certificates into the manager's web server, it is important to ensure that the Agents also have the correct certificates imported. If the certificates are not imported into the agent, agent certificates will fail to renew once expired and new agent installs will fail at the certificate signing step. If certificates are not renewed on the agents, this can result in an outage where no data transfer can take place.

This article covers the steps needed to import the Comodo certificate into the agents. These steps should be performed immediately following the import of the Comodo certificate(s) into the manager web server.

 


Resolution

If the agent is already installed....
 
For installed agents (agents that were installed before the Comodo certificate was imported into the Signiant manager), the Comodo Root certificate will need to imported into the agent(s) to allow them to renew their certificates at expiry tyime.

To import the Comodo root certificate into the agent(s), please follow the steps below that apply to the version of the Signiant manager you have installed.

 
For Signiant 8.1, 8.2+ agents and later:   
  • Log into the Manager
  • Go to: Administration > Agents > Configure
  • Highlight the Agent you wish to import the Comodo certificate and click Edit
  • Select the "Trusted CA" tab
    • If you have an 8.1 Manager, you will not have a Trusted CA tab, click on Certificate Authorities instead
  • Click Add
  • Select the AddTrust External CA Root certificate authority (this is the Comodo root certificate)
     









 
 
  • Click Apply.
  • Click OK
 
 


Configuring for new agent installs..... 
 

On a new agent install, the certificate request cannot be signed if the agent does not have the Comodo root certificate in the sigsetup.inf file. During the install, the agent will contact the manager and present the certificates within the sigsetup.inf file for signing. If the Comodo Root certificate is missing from the inf file, the certificate signing will fail resulting in an agent installation error.

To ensure that this does not occur, please follow the steps below to add the Comodo root certificate into the sigsetup.inf file.
 
  • Locate and open the sigsetup.inf file on your manager with a text editor of your choice.
    • Depending on which version of signiant you have installed, you can find the sigsetup.inf file in the following directory:
      <signiant_install_dir>/3rdparty/jboss/server/default/deploy/signiant.war/secure/hosts/
       
 
  • The sigsetup.inf file should have a minimum of 1 certificate already. Each certificate will start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.  For example:

     















 
  • Copy the contents of the "AddTrustExternalCARoot.crt" certificate sent by Comodo and paste it under the last -----END CERTIFICATE----- line
     









 
 
 
-------------------------------------------------------------------------------------------------------------------------------

 
  • Save and close the file.
  • Once this is complete, the sigsetup.inf file will now include the Comodo root certificate for agents at install time.  This certificate will also be imported into the agent meaning there is no manual step to be done post-install.  Pleae note though that editing the sigsetup.inf file only affects agents subsequently installed using that file.  It does NOT affect any agents already installed.
Note, editing the sigsetup.inf file will only need to be done once.


If the manager has an alias...

If the manager has an alias, then a Comodo certificate can be signed for the manager's alias name rather than the actual host name. However, the following changes MUST be performed on the manager and agents to ensure that agents are able to renew their certificates:

On the manager:
  • Change the "certificateAuthorityUrl" and "crlUrl" values in the sigsetup.inf file from the manager's host name to the alias name.

    certificateAuthorityUrl=https://<manager_host_name>:443/signiant/certSignProcess.jsp
    crlUrl=https://<manager_host_name>:443/signiant/remote/certRevocationList.jsp

    Change to

    certificateAuthorityUrl=https://<manager_Alias_name>:443/signiant/certSignProcess.jsp
    crlUrl=https://<manager_Alias_name>:443/signiant/remote/certRevocationList.jsp


Note: In all versions previous to 9.2 these values will be overwritten when the manager is upgraded. Make sure that these values are updated after each upgrade.

On the Agent
  • The agent's CA url will need to be configured to use the manager's alias name. Please run the following commands to make the changes:

    From the <signiant_install>\bin directory, run the following commands:
    1. dds_admin and press enter
    2. set CAURL <enter the certificateAuthorityUrl>*
    3. Press Enter (You will see the message Done if this was done correctly)
    4. set crlUrl <enter the crlUrl>*
    5. Press Enter
    6. Exit by typing Quit
* Important: Please make sure that the <certificateAuthorityUrl> & <crlUrl> in steps 2 and 4 are a copy of the values entered in the sigsetup.inf file changed in the manager.

To confirm that the changes have been made, you can use any text editor to open the ddspkg file found in the <signiant_install>\security folder and check that the first two lines of the file have the correct values.