How to workaround Imprivata certificate refreshes that dont require a downtime for our end users on IGEL OS?

We are about to hit our imprivata ssoCA.cer expiration date and im trying to find a way to renew this cert without having to reboot all our igels after a cert change. I’ve tried setting the imprivata configuration editor directly using SSH to: “/usr/lib/imprivata/runtime/bin/configuration-editor agent –disable-certificate-checking true”. This works great directly with ssh or in the custom commands Base options but they both require restarts for imprivata to pick the setting change up. Does anyone know of a workaround for cert refreshes that dont require a downtime for our end users?

Learn more, read the entire thread inside the IGEL Community o Slack

Do you have any ideas on this item?

I’m checking… assuming the cert would be the same name? ssoCA.cer

What IGEL OS version do you have?

We have a mix of versions currently in our environment. I’m assuming that all the devices we have that are prior to 10.5 dont care about the cert name but the 11.3-4’s we have do look specifically for the ssoCA.cer in the wts/ca-certs/ location. Is that correct?

@member in 11.04 and 03, we added the ability to set the path to the new cert (i.e. change the name). so you could upload the new cert under a different name and change the profile to point to the new cert. I’m trying to figure out if the reboot is still needed.

@member – do you have any thoughts on whether the cert can be swapped out without a reboot on the IGEL? see thread above.

I will sure give that a test and see if it works without a restart! Thanks as always, for the quick responses guys!

Hmm, that’s a good question! Rather than a full reboot I’m wondering if you could re-run the Bootstrap process because this is when the actual certificate checking should occur (/services/imprivata/bin/ImprivataBootstrap)

I can say the cert name/location change didn’t work without a restart, everything still references the old cert. @member Is there a preferred custom location to try and rerun that bootstrap load? I can try it via direct ssh and see if it works for sure!

definitely give that a shot via SSH/local terminal/secure terminal and let us know what you find. If that’s the ticket, I think the best way to utilize it would be a profile that runs a timed command via systemd-run:

It does appear to work without a reboot but it does still, of course, kick the user off the current desktop, requiring them to tap back in but its definitely faster than a full reboot (about 1.5 seconds). This may be the way we will need to go for a quick turn around.

Thank you very much for that idea and the documentation on how to run it!

Continue reading and comment on the thread ‘How to workaround Imprivata certificate refreshes that dont require a downtime for our end users on IGEL OS?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base

Ask a question or comment on the above message thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!

Popular Message Threads

Categories & Tags: