DualShield servers produced before June 17, 2013 has a restriction: its CA certifcate has a life time of only 10 years. 

If you DualShield server was installed before June 17, 2013 and it has never been reinstalled, then it is likely that its CA certificate will expire soon.


 How to check the expiration date of DualShield CA certificate

Step 1: On the DualShield server machine, open the Windows Command Prompt


Step 2: Enter the command below:

"c:\Program Files\Deepnet DualShield\jre\bin\keytool" -list -v -keystore "c:\Program Files\Deepnet DualShield\jre\lib\security\cacerts" -alias dualultimateca


Step 3: At the prompt of “Enter keystore password:”, enter “changeit


Step 4: Look out the line “Valid from … until …” in the result.

The date after "until:"  is the expiration date of the DualShield CA certificate.


If the expiration date of your DualShield CA certificate will expire soon in the near future, then you must follow the guide below and renew its CA certificate before it expires. 

Warning: The process below will stop and start your DualShield server a couple of times. You should carry out the process in off hours in order to minimise the interruption.


Step 1: Download the following file

Renew DualShield CA Cert v2.zip


Step 2: Unzip the files to a temp folder where the DualShiels server is installed, e.g. "C:\TEMP"


Step 3: Open Windows PowerShell. First, execute the command "Set-ExecutionPolicy Unrestricted"

Then, execute the script "tencert.ps1" 

 


Step 4: Now, you can start the DualShield server

Wait until the DualShield service is fully started. (How to check if a DualShield server is fully started)


Step 5: Then, you have to restart the DualShield service one more time

 


Step 6: Once the DualShield service is fully started, login to its management console. Navigate to "Administration | Tasks". Browse through the list of tasks and you should be able to find a newly added tasked called "Renew all agent certificates".

This task should have the following flags:

  • Enabled : false
  • Executed : 1
  • Succeeded : 1
  • Failed: 0

You do not need to take any further action with this task. In fact, you can delete this task if you like, as it is no longer needed and should not be used again. 


If you have reached this point without any error, then you have successfully renewed the CA certiftcate, SSO IdP signing certificate and all Agent certificate in this DualShield server. However, you still need to check and update the certificate in the following components:

  • Frontend Servers
  • Secondary HA Servers
  • RADIUS Servers
  • Windows Logon Agents 
  • SAML Service Providers

Frontend Servers

If you have DualShield frontend servers, do not carry out the above steps on the frontend servers. Instead, follow the steps below:


 How to renew frontend server certificate

Step 1: Download Frontend Agent Certificate


A fontend DualShield server can have 1 - 3 roles, namely 

  • SSO
  • Self Service (SelfSRV)
  • Provision Service (PROV)

Login to the management console of the DualShield backend server, navigate to "Authentication | Agents"

In the above screenshot, this one frontend server at the IP address of "192.168.30.12". This frontend server has 3 roles, SSO (FRONT-SSO), Self-Service (FRONT-SelfSRV) and Provisioning Service (FRONT-PROV).

You need to download the agent certificate for each of those 3 roles.


In the "Downloads" folder, you should have 3 files like below:


Step 2: Replace Frontend Agent Certificate


Now, login to the frontend server, e.g. 192.168.30.12 in this example. In the Windows file explorer, navigate to "C:\Program Files\Deepnet DualShield\certs"

As you will see, there are the following 3 files:

  • sso.jks
  • dss.jks
  • dps.jks

You need to replace those files with the files that you downloaded in Step 1.

  • replace "sso.jks" with "front-sso.jks"
  • replace "dss.jks" with "front-selfsrv.jks"
  • replace "dps.jks" with "front-prob.jks"


Step 3: Replace the frontend IdP certificate

Copy the following file from the backend server to the frontend server

  • c:\Program Files\Deepnet DualShield\certs\idpfull.jks

and overwrite the existing file on the front server.


Step 4: Restart the frontend DualShield server

Secondary HA Servers

If you have DualShield HA servers, do not carry out the above steps on the secondary HA servers. Instead, follow the steps below:


  How to renew secondary HA server certificate

Copy the following files from the primary server on which you have just renewed its CA certificate:

  • c:\Program Files\Deepnet DualShield\jre\lib\security\cacerts
  • c:\Program Files\Deepnet DualShield\certs\idpfull.jks
  • c:\Program Files\Deepnet DualShield\config\appsso-metadata.xml

to the same locations on the secondary HA server, and overwrite the existing files on the seconday server.

Restart the secondary DualShield server

RADIUS Servers

If you have DualShield RADIUS servers, follow the steps below to renew its certificate


 How to update DualShield RADIUS Agent Certificate

Step 1: Download RADIUS Agent Certificate


Login to the management console of the DualShield backend server, navigate to "Authentication | Agents"

In the above screenshot, there is one RADIUS server at the IP address of "192.168.30.11". You need to download the agent certificate of this RADIUS server

In the "Downloads" folder, you should have see a file like below:


Step 2: Replace RADIUS Agent Certificate


Now, login to the RADIUS server, e.g. 192.168.30.11 in this example. In the Windows file explorer, navigate to "C:\Program Files\Deepnet Radius Server\conf"

As you will see, there is a file called "dualradiusserver.jks"

You need to replace this file "dualradiusserver" with the file that you downloaded in Step 1, e.g. "DAS01-RADIUS.jks"


Step 3: Restart the DualShield RADIUS server

Windows Logon Agents

If you have DualShield Windows Logon Agents, follow the steps below to renew its certificate


 How to update DualShield RADIUS Agent Certificate

Step 1: Download Windows Logon Agent Certificate


Login to the management console of the DualShield backend server, navigate to "Authentication | Agents"

In the above screenshot, there is one Winodws logon agent at the IP address of "192.168.30.11". You need to download the agent certificate of this logon agent

In the "Downloads" folder, you should have see a file like below:


Step 2: Install Window Logon Agent Certificate


Now, login to the Windows logon agent machine, e.g. 192.168.30.11 in this example. 

Copy the downloaded file in Step to this machine, e.g. "DAS01-WA.PFX"

Install this certificate to the Windows keystore

 


Select "Local Machine" in the screen below:


Enter "changeit" at the password prompt

In the rest of steps, select the default options until finish


Step 3: Replace Windows Logon Agent certificate


Open the DualShield Windows Logon Manager

Click the "Select Certificate" button

Select the "Computer account" tab 

Select the certificate with the correct expiration date

then, click "OK" to save it.





SAML Service Providers

If you have SAML service providers, it means that your DualShield SSO is the IdP of your SAML service providers. You need to update the IdP certificate in all of your SAML service providers. 


 How to update IdP certificate in SAML Service Providers

Step 1: Download IdP Certificate


Login to the management console of the DualShield backend server, navigate to "SSO | SSO Servers"

If you have frontend servers, then you will see more than one SSO server listed.

Click the context menu of the desired SSO server, then select "Download IdP Certificate"


Step 2: Replace IdP Certificate in the service providers