Tech Note on How to Generate Expired Single Sign-On Certificate

Available Languages

Download Options

  • PDF     (58.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (124.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (116.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 25, 2017
Document ID:212372

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to generate a Single Sign-On (SSO) certificate that has expired.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of CloudCenter Release prior 4.7.2.1

    Components Used

    The information in this document is based on all CloudCenter versions before 4.7.2.1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

      

    Problem: Login fails with "Invalid username or Password"

    Login fails with "Invalid username or Password" despite the correct password and username being used. This is caused by an expired Single Sign-on certificate.  4.7.2.1 includes a fix to where the certificates do not expire.  

    Solution

    Steps to update the certificate:

    Step 1. Upload the attached file (samlKeystore.jks) to the CCM. In case of HA mode, upload the file to both CCMs.

    # cd /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/ & mkdir ./security
# cp /tmp/samlKeystore.jks security/

    Step 2. Repackage the Cliqr Security library. In this example, we are using version 4.7.2.

    # cp cliqr-security-4.7.2.jar ~/
# jar uf cliqr-security-4.7.2.jar security/samlKeystore.jks
# chown -R cliqruser:cliqruser cliqr-security-4.7.2.jar
# rm -rf security/

    Step 3. Restart Tomcat service on the (primary) CCM.

    # /etc/init.d/tomcat restart

    Step 4. In case of HA mode, stop the Tomcat service on the secondary CCM.

    # /etc/init.d/tomcat stop

    Step 5. Log in to the CCM with admin@osmosix.com user.


    Step 6. Click on Manage Vendor Admins.

    Step 7. Select Authentication settings for the tenant, go to the bottom of the screen and click on the Update button. This updates the corresponding metadata file.

    Step 8. Press the Download the SP Metadata button to download the XML file.

       

        Step 8.1.For HA mode, copy the xml file from CCM1 to CCM2, make sure permissions are the same as CCM1. Location of the XML is in /usr/local/osmosix/metadata/sp/.

    From CCM1
# cd /usr/local/osmosix/metadata/sp
# scp <metadatafile>.xml root@CCM2:/usr/local/osmosix/metadata/sp

        Step 8.2. Start the Tomcat service on second CCM

    From CCM2
# /etc/init.d/tomcat restart

    Step 9. Upload the XML file to IDP.

    Step 10. If you need a .cer file for your IDP, open the XML file, and copy the values of the Private Key and Certificate into a text file. Format the text file as these:

    -----BEGIN ENCRYPTED PRIVATE KEY-----
<value for private key>
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<value for certificate>
-----END CERTIFICATE-----

    Step 11. Validate solution by logging in.

    Note: In case of multiple tenants, Repeat steps 4 - 8 for each tenant.

    TAC Authored

    Contributed by Cisco Engineers

    • Egor Naumov
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products