System & Session Manager 6.1 Certificates

If your 6.1 System Manager has been running for nearly 2 years and you can no longer log into System Manager and you get a strange message which looks something like this after you login pages/Welcome.xhtml  @70/67 value=”” ……  or possibly all your SIP endpoints/trunks have died then your certificates may have run out they have to be renewed every two years or are automatically done we you upgrade.

See Avaya PSN’s for full details but a summary of events are below;


In affect you have to download CertificateRenewalUtility.bin from the Avaya support site and upload it to the system manager either using winscp of via sftp to the /tmp directory on System Manager then cd /tmp and run sh CertificateRenewalUtility.bin you should now find you can login to System Manager correctly although I found I had to restart JBOSS on System Manager “service jboss restart”.


Now for Session Manager so log on via the command line, you need root access.

  •  From the Session Manager command line su – sroot and provide the root password
  • Change directory to the following path: cd /opt/Avaya/SIPAS/current/ServiceDirector/tm/external/keystores
  •  Type ls -ltr and hit enter, this will show two entries:

-rw—- 1 root root 1984 Feb 16 13:53 system_manager_external_keystore.jks

-rw—- 1 root root 1984 Feb 16 13:53 sd1_external_keystore.jks

  • Run the following command and hit enter : echo | keytool -list -v -keystore sd1_external_keystore.jks 2>&1 | grep -m 1 Valid
  • Check the validity of the certificate to make sure it has not expired. Take note of all the expiration dates for reference:

(Valid from: Thu Feb 16 13:43:17 MST 2012 until: Sat Feb 15 13:43:17 MST 2014)

  • Run the following command to check the second keystore and hit enter:
  • echo | keytool -list -v -keystore system_manager_external_keystore.jks 2>&1 | grep -m 1 Valid
  • Now run the following command to check the Jboss certificate and hit enter:
  • echo |keytool -list -keystore /opt/jboss/server/*/conf/tm/keystore/container_keystore.jks -v 2>&1|grep -m 1 Valid
  • If all the certificates expiration dates are in the future, no immediate action is required
  •  If any of the certificates are about to expire (but not yet expired) and Session Manager is release 6.0.x or 6.1.x, perform the following steps to renew these certificates:

The following procedure is service affecting and needs to be schedule and executed within the change control guidelines specific to every customer. Approximate outage time required is between 10-30 minutes.

  • From the System Manager Webpage under
  • Home/Elements/Session Manager, select the Session Manager and change the service state to “Deny New Service” ;wait until the active call count is close to zero
  • TMClientInv.xml file: rm -f /opt/Avaya/jboss-4.2.3.GA/server/s*/conf/tm/TMClientInv.xml
  • Run #initTM from the Session Manager command line, providing the enrollment password obtained from System Manager webpage under : Home/Services/Security/Certificates/Enrollment Password
  • Place the Session Manger back in “Accept New Service” from the System Manager Webpage

The process will then continue without further intervention and once completed, all the certificates will now be valid for a minimum of two years

%d bloggers like this: