Introduction
If done incorrectly it is possible to apply certificates in a manner that stops FAS from starting. These can be:
- If you import certificates with incorrect passwords.
- If you import certificates with incorrect keys.
- If you import certificates that were not generated via the jboss console.
Problem
Once these certificates are imported into the keystore FAS can then fail to start.
Resolution
This resolution will regenerate and overwrite ALL certificates in the FAS keystores and truststores.
PLEASE BACKUP YOUR KEYSTORES!!!
You need to obtain a utility script to regenerate the certificate as follows:
- Obtain the zip artefact trustmgmt_utils (trustmgmt_utils-fas2.1-7.zip attached)
- Unzip the artefact to the FAS installation directory e.g.
[root@fas-server]# unzip -d /opt/cba/FAS-2.1.17 trustmgmt_utils-fas2.1-1.zip
- Give the new script execute permissions e.g.
[root@fas-server]# chmod +x /opt/cba/FAS-2.1.17/bin/regenerate-certificates.sh
Usage of the script can be displayed with the h parameter:
[root@fas-server]# /opt/cba/FAS-2.1.17/bin/regenerate-certificates.sh -h
This will tell you that you need to provide two arguments:
- The new common name, and
- The password to access the existing keystores (usually "changeit")
Therefore, a typical execution of the script would be:
You would change the -c parameter (192.168.8.54 in this case) to be your FAS address.
After that has completed you should be able to start FAS normally using the service.
Comments
0 comments
Please sign in to leave a comment.