These consolidated steps should help address this problem as noted in recent advisory quickly
On each of Provisioning Server (where you typically have imps-router DSA running):
- Copy the provided 'impd_trusted.pem' in DXHOME\config\ssld location overwriting the existing one.
- Rename the provided imps-router.pem to reflect the local (original name) and copy that into DXHOME\config\ssld\personalities location overwriting the existing one.
- Delete any other .pem files related to 'imps' and 'impd' you have in there.
- Basically on each Provisioning Sever host, you will end up with only one router .pem file reflecting the local router name.
On each of Provisioning Directory Server (where you typically have impd-main, impd-inc, impd-co and impd-notify DSAs running):
- Copy the provided 'impd_trusted.pem' in DXHOME\config\ssld location overwriting the existing one.
- Rename the provided impd file to match the local hostname (you will have total of 4 files) and copy that into DXHOME\config\ssld\personalities location overwriting the existing ones.
- Delete any other .pem files related to 'imps' and 'impd' you have in there.
- Basically on each Provisioning Directory host, you will end up with only four impd .pem file reflecting the four local data DSA names.
Now back to main topic:
Main docops link: https://docops.ca.com/ca-identity-manager/12-6-8/EN/upgrading/upgrade-provisioning-components/update-your-provisioning-certificates
TEC1561732 link: https://support.ca.com/us/knowledge-base-articles.TEC1561732.html
(Note - if you experience a broken docOps link in above tec doc, please go directly to
Update Your Provisioning Certificates - CA Identity Manager - 12.6.8 - CA Technologies Documentation )
attached both set (SHA-1 and SHA-2) of certs to this doc for easy access
For IDMGR 12.6.04 and above, one can follow what is provided in docops.
For IDMGR 12.6.01 to 12.6.03 same instructions that is available in docops + KB TEC1561732
This KB replaces the jiam.jar section that is mentioned in docops instructions.
For IDMGR 12.5.x use the attached SHA-1 signed certs + KB TEC1561732
This KB replaces the jiam.jar section that is mentioned in docops instructions.