Manually Uploading a Certificate to a Virtual Appliance

This section describes the procedure for importing a certificate and keychain to the virtual applicance.

Importing a Certificate and Keychain to the Virtual Appliance.

When adding a certificate to the Virtual Appliance, ensure that:

  • You must complete the following steps for every virtual appliance on the virtual appliance cluster that is connected to the source.

  • To manually add a new certificate for the source to your virtual appliance's truststore, you need to ensure that the virtual appliance does not connect to the source before you complete the steps listed here. Do not test the connection between the source and virtual appliance. This also might require temporarily suspending scheduled aggregations.

  • The source server has been configured for TLS.

  • The va-config-<va_id>.yaml file has been configured for your virtual appliance.

    Note
    The certificate you copy must use PEM format.

    Note
    For information on creating a hosts.yaml file, refer to Configuring a Hosts.yaml File.

Perform the following:

  1. Copy the PEM-encoded certificates to the /home/sailpoint/certificates directory. This directory might not be empty because it’s where the VA adds any certificates it imports from the source.

  2. Restart the Connector Gateway using the following command:

    ‘sudo systemctl restart ccg’

  3. Watch the /home/sailpoint/log/ccg-start.log. If this is successful, import should log messages of the following form:

    {"@timestamp":"2017-04-21 06:57:12 +0000","level":"INFO","type":"ccg","message":"Checking CCG Sources certificates"}

    {"@timestamp":"2017-04-21 06:57:12 +0000","level":"INFO","type":"ccg","message":"Cert files found: [\"/home/sailpoint/certificates/411818.pem\"]"}

    06:57:12 +0000","level":"INFO","type":"ccg","message":"Importing cert /home/sailpoint/certificates/411818.pem"}

    Note

    • If you see an error instead of the log messages above, this is an indication that your certificate is in an invalid format. Verify that a PEM format is used for your certificate and try again.

    • Sometimes export of a certificate may not work properly with the Virtual Appliance. Using the openssl command to get the certificate is a good way to get the latest certificate.

      1. `openssl s_client -connect server.example.com:636 > output < /dev/null`

      2. From the above command, grab the output file and the top of the file has the certificate. It starts with --BEGIN CERTIFICATE--. Copy the contents between that and --END CERTIFICATE--.

      3. Create a new file in the /home/sailpoint/certificates directory called cert.pem, for example with the contents you copied from step 2.

      4. Restart connector gateway using sudo systemctl restart ccg command.