How to changes the SSL certificate used within DRA REST Services

  • Document ID:7023313
  • Creation Date:29-Aug-2018
  • Modified Date:02-Jun-2020
    • Micro Focus Products:
      Directory and Resource Administrator

Environment

NetIQ Directory and Resource Administrator REST Services 9.x
NetIQ Directory and Resource Administrator REST Services 10.0.x
NetIQ Directory and Resource Administrator Replication Services 10.0..x

Situation

The SSL certificate(s) used by the DRA REST Services application and / or the DRAClient Web site have expired.
The SSL certificate(s) used by the DRA REST Services application and / or the DRAClient Web need to be changed.
The SSL certificate(s) used by the DRA Replication Services, DRA Rest Service application and / or the DRAClient Web need to be changed

Resolution

In order to change the SSL Certificate used by DRA REST Services and DRA Web Client, you will need to go over the following steps. All of the steps below require local logon to the Windows OS hosting the DRA REST Services and DRAClient Web Site. All steps requiring a Windows CMD line should be done using an Administrator CMD
prompt.
  • Step 1 - Configure the new certificate on the Server
  1. Import the new updated SSL certificate to the REST Server, IIS Server and DRA Replication Services
    1. If using the same SSL Cert for IIS, REST Services and DRA Replication Service, the new certificate can be added within IIS
    2. If using a unique certificate for DRA REST Services, DRA Replication Services, and  for IIS, additional SSL certs can be added using Windows Certificate Services MMC Snap-In
    3. Certs used to DRA REST Services, DRA Replication  Service and WEB should be hosted in the Local Machine’s Personal Certificate Store
  • Step 2 - Locate and copy the new Certificate’s Thumbprint
  1. Open the certificate properties and locate the Certificate Thumbprint property
    1. The certificate properties can be viewed via IIS Manager
    2. The certificate properties can be viewed via the Certificate Store Windows MMC Snap-in
    3. Sample thumbprint property: ‎7c 56 b6 9b b9 ad 02 66 fa f0 22 cc 10 89 fd bf 77 2e b1 f0
  2. Use a text editor, such as Windows Notepad; to remove the spaces within the certificate properties
    1. Sample thumbprint without spaces: ‎7c56b69bb9ad0266faf022cc1089fdbf772eb1f0
  • Step 3 - Update the REST Services Application with the new certificate
  1. Locate and copy the Existing Application ID, and port for the IIS Server
    1. From an Administrator CMD Prompt: run netsh http show sslcert
    2. The REST Services Application default port is 8755
    3. Sample Application ID {8031ba52-3c9d-4193-800a-d620b3e98508}
  2. Delete the existing SSL binding for the REST Services Application
    1. From an Administrator CMD Prompt: run netsh http delete sslcert ipport=<REST Services Application IP Address and Port listed from the show ssl cert output>
  3. Bind the new SSL cert to the REST Services Application
    1. From an Administrator CMD Prompt: run netsh http add sslcert ipport=<REST Services Application IP Address and Port listed from the show ssl cert output> certhash=<ThumbPrintID of new certificate> appid=<Application ID, including the {}>
  • Step 4 - Change the SSL Certificate used by IIS
  1. Locate and copy the Existing Application ID, and port for the IIS Application
    1. From an Administrator CMD Prompt: run netsh http show sslcert
    2. The IIS Website default port is 443
    3. Sample Application ID {4dc3e181-e14b-4a21-b022-59fc669b0914}
  2. Delete the existing SSL binding for the IIS Application
    1. From an Administrator CMD Prompt: run netsh http delete sslcert ipport=<IIS Web site IP Address and Port listed from the show ssl cert output>
  3. Bind the new SSL cert to the REST Services Application
    1. From an Administrator CMD Prompt: run netsh http add sslcert ipport=<IIS Web site IP Address and Port listed from the show ssl cert output> certhash=<ThumbPrintID of new certificate> appid=<Application ID, including the {}>
  • Step 5 - Change the SSL Cert used by DRA Replication Services
  1. Locate and copy the Existing Application ID, and port for the DRA Replication Services application
    1. From an Administrator CMD Prompt: run netsh http show sslcert
    2. The DRA Replication Services port default port is 8898
    3. Sample Application ID {4dc3e181-e14b-4a21-b022-59fc669b0914}
  2. Delete the existing SSL binding for the DRA Replication Services Application
    1. From an Administrator CMD Prompt: run netsh http delete sslcert ipport=<IIS Web site IP Address and Port listed from the show ssl cert output>
  3. Bind the new SSL cert to the DRA Replication Services Application
    1. From an Administrator CMD Prompt: run netsh http add sslcert ipport=<IIS Web site IP Address and Port listed from the show ssl cert output> certhash=<ThumbPrintID of new certificate> appid=<Application ID, including the {}>


 



Cause

Both the IIS Website used to host the DRA Client (known as DRAClient) and the REST Services Application are bound to an SSL Certificate. The initial install of the DRA REST Services will configure the binding. It is possible to have the existing SSL certificate expire. There might also be a need to change from one certificate to another. The DRA replication service, hosted on every DRA Server will also be bound to an SSL Certificate.


Additional Information

The DRA Replication service is new to the DRA 10 release. This service will not be present within the DRA 9.x release.