Federation Manager Guide › SSL Administration for Federation Manager › How to Migrate SSL Keys and Certificates

How to Migrate SSL Keys and Certificates

For Federation Manager r12.1 SP3, the SSL key and certificate files for the embedded Apache and Tomcat servers are encrypted. For releases 12.0 and 12.0 SP1, these files are not encrypted. To avoid purchasing a new key/certificate pair for an encrypted file, migrate existing key or certificate files from Federation Manager r12.0/r12.0 SP1 to r12.1 SP3. You can also export these files for backup purposes without migrating them.

Important! For Federation Manager systems before r12.1, the embedded Tomcat server uses a self-signed certificate. You cannot use this self-signed certificate for a migration to r12.1 SP3. Purchase a signed certificate and upgrade the Tomcat SSL configuration with the signed certificate.

For Apache, you can migrate files for SSL connections beginning at Federation Manager r12.0. For Tomcat, you can migrate files only from Federation Manager r12.1 forward because in Federation Manager 12.0, a self-signed certificate secured the Tomcat key store. Beginning with r12.1, Federation Manager requires that a Certificate Authority signs the certificate.

Migrating SSL keys and certificate files is useful in the following situations:

• To move to a different version of Federation Manager on a new system instead of upgrading an existing system. Migrate the SSL keys or certificates from the existing system to the new system.
• To migrate SSL keys and certificates from one system in a cluster to another. Migrating lets you reuse the keys and certificates. For example, if a load balancer passes SSL requests to the Federation Manager systems in a cluster, each system must use the same keys and certificates. Therefore, you would migrate keys and certificates from one system to the other.

Note: If you upgrade a Federation Manager 12.0 system to Federation Manager r12.1 SP3, the installer automatically upgrades Apache and Tomcat SSL key and certificate files to encrypted files. This automatic does not apply to migrations.

The Federation Manager certificate and private key files are as follows:

Apache

• The server.key file contains a private key.
• The server.cert file contains a server certificate.

Tomcat

• For Federation Manager r12.0, the tomcat.keystore file contains a self-signed certificate. For Federation Manager r12.1x, the tomcat.keystore file contains a CA-signed certificate and private key pair.

To migrate or export these files, use the Federation Manager SSL utility named migratessl. The migration utility is included with Federation Manager r12.1 SP3 as a batch file for Windows systems and a shell script for UNIX systems. Federation Manager installs the tool in the federation_mgr_home/bin folder.

The process to migrate SSL files is as follows:

1. Copy the key and certificate files from the existing r12 Federation Manager system to any location on the Federation Manager r12.1 SP3 system.
2. Copy the migratessl tool to the location where you copied the key and certificate files.
3. If you migrate signed certificates, export the Certificate Authority certificate that signed the SSL certificate. Before you continue with the migration, import the CA certificate.