Symantec Access Management

  • Private Community

  • 1.  Need instructions for changing the signing cert for Sharepoint Agent

    Posted May 12, 2015 04:19 PM

    We are running SharePoint agent 12.52, and our signing cert is about to expire. This is the first time we have had to replace the signing cert since we built the environment, and we are a little unclear about what has to change where. We are all set from the policy server perspective, and the resource partner object in the policy store. What we are confused about is where the public key of the cert actually has to be installed and what has to be run where so when an assertion comes over signed by the new cert the correct key will be on the receiving end. Is it on the SharePoint Agent on the proxy engine? On the Claims provider? Both?

     

    Thanks.



  • 2.  Re: Need instructions for changing the signing cert for Sharepoint Agent

    Posted May 13, 2015 09:29 AM

    brodginskicc

     

    The new public cert needs to be associated with the Trusted Identity Token Issuer on SharePoint Server.

     

    There are blogs on the internet to update the Trusted Token Issuer Certificate. There is a worst case option which is to delete the Trusted Identity Token Issuer and re run the script which was earlier generated by SPConnectionWizard which was used to create the Trusted Identity Token Issuer in the first place (however due care needs to be taken with regards to using the same Trusted Identity Token Issuer Name, as the identities already granted access to SharePoint are associated with TIP Names).

     

    I think it is documented too, I'll check the documentation and get back to you in sometime.

     

    Regards

     

    Hubert



  • 3.  Re: Need instructions for changing the signing cert for Sharepoint Agent

    Posted May 14, 2015 03:09 PM

    There is a section in R12.51 Agent for Sharepoint guide. Let me know if you have access to that PDF.

     

    How to Replace the Certificates for your SiteMinder Trusted Identity Provider



  • 4.  Re: Need instructions for changing the signing cert for Sharepoint Agent
    Best Answer

    Posted May 15, 2015 03:18 PM

    I also opened a case on this. In addition to pointing me to the doc these comments were made.

     

    "Please note that the instructions state to install the new certificate on the Agent for SharePoint system, however this is not required. I will be opening a Doc Bug to get this removed".

     

    "The new certificate needs to be copied to the SharePoint Server and updated per the remaining instructions in the section referenced above, so please follw the instructions in this section, but you can skip the "Install the Policy Server Signing Certificate on your Proxy Server" section."

     

    We followed the instructions, and were successful in replacing the signing cert