DualShield servers produced before June 17, 2013 has a restriction: its CA certificate has a life time of only 10 years.
If your DualShield server was installed before June 17, 2013 and it has never been reinstalled, then it is likely that its CA certificate will expire soon.
Step 1: On the DualShield server machine, open the Windows Command Prompt
Step 3: At the prompt of “Enter keystore password:”, enter “changeit”
Step 4: Look out the line “Valid from … until …” in the result.
The date after "until:" is the expiration date of the DualShield CA certificate.
If the expiration date of your DualShield CA certificate will expire soon in the near future, then you must follow the guide below and renew its CA certificate before it expires.
Warning: The process below will stop and start your DualShield server a couple of times. You should carry out the process in off hours in order to minimise the interruption.
Step 5: The DualShield service MUST be restarted for a second time.
Step 6: Once the DualShield service is fully started, login to its management console. Navigate to "Administration | Tasks". Browse through the list of tasks and you should be able to find a newly added tasked called "Renew all agent certificates".
This task should have the following flags:
Enabled : false
Executed : 1
Succeeded : 1
Failed: 0
You do not need to take any further action with this task. In fact, you can delete this task if you like, as it is no longer needed and should not be used again.
If you have reached this point without any error, then you have successfully renewed the CA certificate, SSO IdP signing certificate and all Agent certificate in this DualShield server. However, you still need to check and update the certificate in the following components:
Frontend Servers
Secondary HA Servers
RADIUS Servers
Windows Logon Agents
SAML Service Providers
Frontend Servers
If you have DualShield frontend servers, do not carry out the above steps on the frontend servers. Instead, follow the steps below:
Step 1: Download Frontend Agent Certificate
A frontend DualShield server can have 1 - 3 roles, namely
SSO
Self Service (SelfSRV)
Provision Service (PROV)
Login to the management console of the DualShield backend server, navigate to "Authentication | Agents"
In the above screenshot, this one frontend server at the IP address of "192.168.30.12". This frontend server has 3 roles, SSO (FRONT-SSO), Self-Service (FRONT-SelfSRV) and Provisioning Service (FRONT-PROV).
You need to download the agent certificate for each of those 3 roles.
In the "Downloads" folder, you should have 3 files like below:
Step 2: Replace Frontend Agent Certificate
Now, login to the frontend server, e.g. 192.168.30.12 in this example. In the Windows file explorer, navigate to "C:\Program Files\Deepnet DualShield\certs"
As you will see, there are the following 3 files:
sso.jks
dss.jks
dps.jks
You need to replace those files with the files that you downloaded in Step 1.
replace "sso.jks" with "front-sso.jks"
replace "dss.jks" with "front-selfsrv.jks"
replace "dps.jks" with "front-prob.jks"
Step 3: Replace the frontend IdP certificate
Copy the following file from the backend server to the frontend server
to the same locations on the secondary HA server, and overwrite the existing files on the secondary server.
Restart the secondary DualShield server
RADIUS Servers
If you have DualShield RADIUS servers, follow the steps below to renew its certificate
Step 1: Download RADIUS Agent Certificate
Login to the management console of the DualShield backend server, navigate to "Authentication | Agents"
In the above screenshot, there is one RADIUS server at the IP address of "192.168.30.11". You need to download the agent certificate of this RADIUS server
In the "Downloads" folder, you should have see a file like below:
Step 2: Replace RADIUS Agent Certificate
Now, login to the RADIUS server, e.g. 192.168.30.11 in this example. In the Windows file explorer, navigate to "C:\Program Files\Deepnet Radius Server\conf"
As you will see, there is a file called "dualradiusserver.jks"
You need to replace this file "dualradiusserver" with the file that you downloaded in Step 1, e.g. "DAS01-RADIUS.jks"
Step 3: Restart the DualShield RADIUS server
Windows Logon Agents
If you have DualShield Windows Logon Agents, follow the steps below to renew its certificate
Step 1: Download Windows Logon Agent Certificate
Login to the management console of the DualShield backend server, navigate to "Authentication | Agents"
In the above screenshot, there is one Winodws logon agent at the IP address of "192.168.30.11". You need to download the agent certificate of this logon agent
In the "Downloads" folder, you should have see a file like below:
Step 2: Install Window Logon Agent Certificate
Now, login to the Windows logon agent machine, e.g. 192.168.30.11 in this example.
Copy the downloaded file in Step to this machine, e.g. "DAS01-WA.PFX"
Install this certificate to the Windows keystore
Select "Local Machine" in the screen below:
Enter "changeit" at the password prompt
In the rest of steps, select the default options until finish
Step 3: Replace Windows Logon Agent certificate
Open the DualShield Windows Logon Manager
Click the "Select Certificate" button
Select the "Computer account" tab
Select the certificate with the correct expiration date
then, click "OK" to save it.
SAML Service Providers
If you have SAML service providers, it means that your DualShield SSO is the IdP of your SAML service providers. You need to update the IdP certificate in all of your SAML service providers.
Step 1: Download IdP Certificate
Login to the management console of the DualShield backend server, navigate to "SSO | SSO Servers"
If you have frontend servers, then you will see more than one SSO server listed.
Click the context menu of the desired SSO server, then select "Download IdP Certificate"
Step 2: Replace IdP Certificate in the service providers