We are about to hit our imprivata ssoCA.cer expiration date and im trying to find a way to renew this cert without having to reboot all our igels after a cert change. I’ve tried setting the imprivata configuration editor directly using SSH to: “/usr/lib/imprivata/runtime/bin/configuration-editor agent –disable-certificate-checking true”. This works great directly with ssh or in the custom commands Base options but they both require restarts for imprivata to pick the setting change up. Does anyone know of a workaround for cert refreshes that dont require a downtime for our end users?
Do you have any ideas on this item?
I’m checking… assuming the cert would be the same name? ssoCA.cer
What IGEL OS version do you have?
We have a mix of versions currently in our environment. I’m assuming that all the devices we have that are prior to 10.5 dont care about the cert name but the 11.3-4’s we have do look specifically for the ssoCA.cer in the wts/ca-certs/ location. Is that correct?
@member in 11.04 and 03, we added the ability to set the path to the new cert (i.e. change the name). so you could upload the new cert under a different name and change the profile to point to the new cert. I’m trying to figure out if the reboot is still needed.
@member – do you have any thoughts on whether the cert can be swapped out without a reboot on the IGEL? see thread above.
I will sure give that a test and see if it works without a restart! Thanks as always, for the quick responses guys!
Hmm, that’s a good question! Rather than a full reboot I’m wondering if you could re-run the Bootstrap process because this is when the actual certificate checking should occur (/services/imprivata/bin/ImprivataBootstrap)
I can say the cert name/location change didn’t work without a restart, everything still references the old cert. @member Is there a preferred custom location to try and rerun that bootstrap load? I can try it via direct ssh and see if it works for sure!
definitely give that a shot via SSH/local terminal/secure terminal and let us know what you find. If that’s the ticket, I think the best way to utilize it would be a profile that runs a timed command via systemd-run: kb.igel.com/igelos-11.04/en/creating-a-timed-command-cron-replacement-32870247.html
It does appear to work without a reboot but it does still, of course, kick the user off the current desktop, requiring them to tap back in but its definitely faster than a full reboot (about 1.5 seconds). This may be the way we will need to go for a quick turn around.
Thank you very much for that idea and the documentation on how to run it!
Continue reading and comment on the thread ‘How to workaround Imprivata certificate refreshes that dont require a downtime for our end users on IGEL OS?’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.
Submit a question, or Join Today!
Popular Message Threads
- How to Install IGEL OS via a Bootable USB Drive
- Citrix connection via Netscaler Error: “AM_ERROR_AUTH_NETWORK_ERROR” on IGEL OS
- After upgrading to IGEL OS 11.04.200.01 my Citrix Storefront configuration does not work anymore – Error adding store: AM_ERROR_AUTH_NETWORK_ERROR
- How to change the default IGEL UMS admin password?
- Error connecting to Citrix StoreFront “Error adding store: Http error”
- Receiving error: “Citrix Receiver cannot create a secure connection in this browser” when launching a secure connection from Firefox on IGEL OS
- Where to delete the certificates that cause ‘invalid certificate’ when trying to import an IGEL into UMS?