000014924 - How do you replace or update an existing FIM keystore.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014924
Applies ToFederated Identity Management Module 4.0
IssueHow do you replace or update an existing FIM keystore.
A new keystore has been created to replace an existing keystore but FIM does not appear to be using the new keys.
CauseThe FIM managed nodes read in the keystore information from the filesystem when the system starts up and saves it in cache. If there are any changes made to the underlying keystore on the filesystem FIM will not be aware of them until the managed nodes are restarted.
ResolutionThis problem has been resolved in hotfix HF_24 for RSA FIM 4.1 and hotfix HF_24 for RSA FIM 4.0.   Please contact RSA Support and request this hotfix or the latest cumulative hotfix for your platform.  After apply the hotfix the behavior of RSA FIM will change.  Now when RSA FIM encounters an error reading information from the cached copy of a keystore it will automatically flush the old information from the cache and read a new copy from the filesystem.  This allows you to update the RSA FIM keystores on a running system.
NotesIf you add a new keystore with a new keystore name FIM will be able to use this immediately after it is configured in the console because there is no local copy of the keystore in cache. Similarly if you change the password or alias name in the FIM console those changes will take effect immediately without a restart of the managed node as long as there is a preexisting key in the keystore that matches the alias and password.
Legacy Article IDa49633