WCC command sponsor / igateway deprecated public key solution.

Document ID : KB000010906
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The igateway process communicates various requests (chk_auto_up, jil, sendevent...) made on the WCC command line over port 5250
on the Workload Automation server to the command sponsor service .
 

It has been found that the communication on port 5250 between the igateway and command sponsor has a deprecated public key length and procedure below is CA solution.

Instructions:

To modify the certs with custom key length and custom Digest algorithm. Please check the iGateway version before running the following instructions.

Gateway version must be 4.7.4.0 or later as the custom key length support has been added in that release 
To check the version use the . *.conf files in the iTechnology directory will have the version and build number as: 
If you do not have the iAuthority.conf file the iAuthority.xml file we provided will not needed and steps 3 will only contain 2 files and step 4 will not be necessary
The steps need to be run root,
The commands only get run only on machine with Command sponsor exists
Only iGateway needs to be cycled the Scheduler and Application Server do not need to be stopped, only iGateway is effected.

The 3 xml files provided by CA contain an entry that specified digest Algorithm SHA256 key length of 2048 so no change is needed. If you want to use a different length the files need to be altered to specify different length.

Instructions:

  1. Stop iGateway service
  2. Take a backup of iTechnology folder
  3. Copy the three files, attached with this email, under iTechnology folder
  4. Edit iAuthority.conf remove "<TrustedRoot ..." section.
  5. Remove all *.cer and *.key files under iTechnology folder
  6. Start igateway
  7. iGateway will regenerate the certificates during startup as the certificates are missing (deleted in step 5)
  8. iGateway must get started successfully
  9. Now run the following openssl command to check the certificates
    1. openssl x509 -in iauthority.cer -text -noout
Additional Information:

To stop iGateway, run  $IGW_LOC/S99igateway stop

To start  iGateway, run  $IGW_LOC/S99igateway start

 

Example of igateway.iTechSDK.xml

<?xml version="1.0" encoding="UTF-8" standalone="true"?>

<iTechSDK><FIPSMode/><Commons><etpkiCryptoLib/></Commons><TransportConfig><secureProtocol/></TransportConfig><Security><digestAlgorithm>SHA256</digestAlgorithm><keyLength>2048</keyLength></Security><Debug><logLevel/><logToFile/><logFile/><maxLogSize/></Debug></iTechSDK>

File Attachments:
TEC1550086.zip