How to changes the SSL certificate used within DRA REST Services

  • 7023313
  • 29-Aug-2018
  • 29-Aug-2018

Environment

NetIQ Directory and Resource Administrator REST Services 9.0.2.x
NetIQ Directory and Resource Administrator REST Services 9.0.3.x
NetIQ Directory and Resource Administrator REST Services 9.1.x
NetIQ Directory and Resource Administrator REST Services 9.2.x

Situation

The SSL certificate(s) used by the DRA REST Services application and / or the DRAClient Web site have expired.
The SSL certificate(s) used by the DRA REST Services application and / or the DRAClient Web need to be changed.

Resolution

In order to change the SSL Certificate used by DRA REST Services and DRA Web Client, you will need to go over the following steps. All of the steps below require local logon to the Windows OS hosting the DRA REST Services and DRAClient Web Site. All steps requiring a Windows CMD line should be done using an Administrator CMD
prompt.
  • Step 1 - Configure the new certificate on the Server
  1. Import the new updated SSL certificate to the REST Server and IIS Server
    1. If using the same SSL Cert for IIS and REST Services, the new certificate can be added within IIS
    2. If using one certificate for REST and one for IIS, additional SSL certs can be added using Windows Certificate Services MMC Snap-In
    3. Certs used to DRA REST and WEB should be hosted in the Local Machine’s Personal Certificate Store
  • Step 2 - Locate and copy the new Certificate’s Thumbprint
  1. Open the certificate properties and locate the Certificate Thumbprint property
    1. The certificate properties can be viewed via IIS Manager
    2. The certificate properties can be viewed via the Certificate Store Windows MMC Snap-in
    3. Sample thumbprint property: ‎7c 56 b6 9b b9 ad 02 66 fa f0 22 cc 10 89 fd bf 77 2e b1 f0
  2. Use a text editor, such as Windows Notepad; to remove the spaces within the certificate properties
    1. Sample thumbprint without spaces: ‎7c56b69bb9ad0266faf022cc1089fdbf772eb1f0
  • Step 3 - Update the REST Services Application with the new certificate
  1. Locate and copy the Existing Application ID, and port for the IIS Server
    1. From an Administrator CMD Prompt: run netsh http show sslcert
    2. The REST Services Application default port is 443
    3. Sample Application ID {8031ba52-3c9d-4193-800a-d620b3e98508}
  2. Delete the existing SSL binding for the REST Services Application
  3. From an Administrator CMD Prompt: run Netssh http delete sslcert ipport=<REST Services Application IP Address and Port listed from the show ssl cert output>
  4. Bind the new SSL cert to the REST Services Application
  5. From an Administrator CMD Prompt: run netsh http add sslcert ipport=<REST Services Application IP Address and Port listed from the show ssl cert output> certhash=<ThumbPrintID of new certificate> appid=<Application ID, including the {}>
  • Step 4 - Change the SSL Certificate used by IIS
  1. Locate and copy the Existing Application ID, and port for the REST Services Application
    1. From an Administrator CMD Prompt: run netsh http show sslcert
    2. The IIS Website default port is 443
    3. Sample Application ID {4dc3e181-e14b-4a21-b022-59fc669b0914}
  2. Delete the existing SSL binding for the REST Services Application
  3. From an Administrator CMD Prompt: run Netssh http delete sslcert ipport=<IIS Web site IP Address and Port listed from the show ssl cert output>
  4. Bind the new SSL cert to the REST Services Application
  5. From an Administrator CMD Prompt: run netsh http add sslcert ipport=<IIS Web site IP Address and Port listed from the show ssl cert output> certhash=<ThumbPrintID of new certificate> appid=<Application ID, including the {}>

 



Cause

Both the IIS Website used to host the DRA Client (known as DRAClient) and the REST Services Application are bound to an SSL Certificate. The initial install of the DRA REST Services will configure the binding. It is possible to have the existing SSL certificate expire. There might also be a need to change from one certificate to another.