This is the best Technote I found from IBM on TAM Certificate management. Keeping a copy here in case the original note gets deleted. http://www-01.ibm.com/support/docview.wss?uid=swg21516849
What needs to be considered in a TAM environment regarding certificate expiration?
All Tivoli Access Manager (TAM) components rely on SSL. At a minimum the components use SSL to communicate with each other. They can also use SSL to communicate with other client applications, registry servers, etc. The keystores used in a TAM environment are usually either CMS key database format (kdb) or a Java keystore (jks). When using a kdb file, as long as you're using a .sth file to stash the password of your kdb file, you can use the "/opt/PolicyDirector/sbin/dispkdb -f <kdb file>" command to view the contents of a kdb file. This will show you the expiration date of the keystore password (if you see 1969 then it means password is not set to expire) as well the certificate information such as the names, labels, date created, and expiration dates. This allows you to easily see when a certificate will expire.Most people do use the sth file, but if you are not using it and have the kdb password configured in your config file (webseal, ivmgr, etc) then you will need to use the gsk7ikm, gsk7cmd, or gsk7capicmd command to open the kdb file with your password and check the expiration dates that way.With WebSEAL, there is one kdb file which you will need to monitor for sure, which is the following (by default, from the webseald-<instance>.conf)
webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdbThis is where you store your own certificates, so you need to manage those.Also, if you're using SSL to your LDAP server, you should monitor the kdb file specified in the [ldap] "ssl-keyfile" attribute of your webseald-default.conf, ivacld.conf, ivmgrd.conf, etc.Also on each of the TAM components you will find another kdb file defined in the [ssl] "ssl-keyfile" attribute (for example "default-webseald.kdb"). This is the keystore used to talk to the TAM components. You do not need to worry much about these since they are mostly self-managing, and their passwords are randomly generated at configuration time (meaning that nobody knows what the password is). By default, they will refresh themselves before the certificates expire automatically. However, these updated certificates cannot be used until the process is restarted. To avoid problems, the process must be restarted before the certificate in memory expires.
Basically, when one of the components is configured, such as webseal, the Policy Server will create a certificate for it to use. The lifetime of this certificate is controlled by the [ssl] "ssl-cert-life" attribute in the ivmgrd.conf file (by default 365 days). When webseal sees that the certificate is past it's half-life (6 months by default) then it will ask the policy server to generate a new one for it. However webseal needs to be re-started to start using this new certificate, before the old one expires. As such, it's recommended to re-start the processes at least twice for every "ssl-cert-life"...or every 6 months by default.If your processes are not restarted regularly, you can change the ssl certificate lifetime to something longer (2yrs, 5yrs, 10yrs, etc) so that you don't need to re-start the processes later on.- To change the Policy Server's certificate and certificate lifetime to say 5 yrs (1826 days) you can run the following command on the Policy Server system..../opt/PolicyDirector/sbin/mgrsslcfg -chgcert -l 1865and then re-start the policy server (pd_start restart)- In order to get a new certificate with a new certificate lifetime on the WebSEALs, pdacld, etc, you would need to refresh the certificate for EACH instance.../opt/PolicyDirector/sbin/svrsslcfg -chgcert -f cfg_file [-A admin_id] [-P admin_pwd]-f cfg_file Configuration file path and name. This is a requiredparameter and should be your webseald-<instance>.conf, ivacld.conf, ivmgrd.conf, etc.-P admin_pwd The Tivoli Access Manager Administrator password. If thisparameter is not specified you will be prompted for thepassword.-A admin_id The Tivoli Access Manager administrator name. If notspecified, this parameter defaults to "sec_master"and then -restart the processes.Other than this, you will also need to keep an eye on your LDAP server's certificates for expiration. For Tivoli Directory Server (TDS) this kdb file would be configured in your LDAP instance's ibmslapd.conf under the ibm-slapdSslKeyDatabase attribute.Lastly, if you need to look at jks file for certificates (used if you have a java application using TAM, WAS, etc) you can view the contents of the jks with the following command...keytool -list -v -keystore <jksfilename> -storetype JCEKShit enter for passwordIn the properties file created by the SvrSslCfg command, if you have "certrefresh=true" then this certificate will update itself once the application is re-started after the halfway point of the certificate's life (ssl-cert-life in ivmgrd.conf).
