System & Session Manager 6.1 Certificates

· Avaya
Authors

If your 6.1 System Manager has been running for nearly 2 years and you can no longer log into System Manager and you get a strange message which looks something like this after you login pages/Welcome.xhtml  @70/67 value=”” ……  or possibly all your SIP endpoints/trunks have died then your certificates may have run out they have to be renewed every two years or are automatically done we you upgrade.

See Avaya PSN’s for full details but a summary of events are below;

SYSTEM MANAGER

In affect you have to download CertificateRenewalUtility.bin from the Avaya support site and upload it to the system manager either using winscp of via sftp to the /tmp directory on System Manager then cd /tmp and run sh CertificateRenewalUtility.bin you should now find you can login to System Manager correctly although I found I had to restart JBOSS on System Manager “service jboss restart”.

SESSION MANAGER

Now for Session Manager so log on via the command line, you need root access.

  •  From the Session Manager command line su – sroot and provide the root password
  • Change directory to the following path: cd /opt/Avaya/SIPAS/current/ServiceDirector/tm/external/keystores
  •  Type ls -ltr and hit enter, this will show two entries:

-rw—- 1 root root 1984 Feb 16 13:53 system_manager_external_keystore.jks

-rw—- 1 root root 1984 Feb 16 13:53 sd1_external_keystore.jks

  • Run the following command and hit enter : echo | keytool -list -v -keystore sd1_external_keystore.jks 2>&1 | grep -m 1 Valid
  • Check the validity of the certificate to make sure it has not expired. Take note of all the expiration dates for reference:

(Valid from: Thu Feb 16 13:43:17 MST 2012 until: Sat Feb 15 13:43:17 MST 2014)

  • Run the following command to check the second keystore and hit enter:
  • echo | keytool -list -v -keystore system_manager_external_keystore.jks 2>&1 | grep -m 1 Valid
  • Now run the following command to check the Jboss certificate and hit enter:
  • echo |keytool -list -keystore /opt/jboss/server/*/conf/tm/keystore/container_keystore.jks -v 2>&1|grep -m 1 Valid
  • If all the certificates expiration dates are in the future, no immediate action is required
  •  If any of the certificates are about to expire (but not yet expired) and Session Manager is release 6.0.x or 6.1.x, perform the following steps to renew these certificates:

The following procedure is service affecting and needs to be schedule and executed within the change control guidelines specific to every customer. Approximate outage time required is between 10-30 minutes.

  • From the System Manager Webpage under
  • Home/Elements/Session Manager, select the Session Manager and change the service state to “Deny New Service” ;wait until the active call count is close to zero
  • TMClientInv.xml file: rm -f /opt/Avaya/jboss-4.2.3.GA/server/s*/conf/tm/TMClientInv.xml
  • Run #initTM from the Session Manager command line, providing the enrollment password obtained from System Manager webpage under : Home/Services/Security/Certificates/Enrollment Password
  • Place the Session Manger back in “Accept New Service” from the System Manager Webpage

The process will then continue without further intervention and once completed, all the certificates will now be valid for a minimum of two years

4 Comments

Comments RSS
  1. TPW

    Hi,

    I have this problem, but my SMGR is stuck in

    System initialization is in progress. Please try to login at a later time.

    Need more help? please contact support team.

    Does somebody know how i can fix this?

    Like

  2. MRA

    I had this issue and found this article to be valuable.. thanks for posting it…!

    Like

  3. Kenny Wong

    What is the purpose of putting a certificate with expiry date in? There isn’t any alert/warning that the certificate is due expiring. We got stuck for half the whole day!

    Like

    • Grizzlys

      Avaya expects you to follow the upgrade path, this will reset the security certificates.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: