Replacing the Existing ActiveMatrix BPM SSO Certificates

In Java 8, the MD5withRSA algorithm has been disabled. This change invalidates the existing ActiveMatrix BPM SSO certificates in the default keystores (amx-bpm-wss-keystore.jks and amx-bpm-wss-truststore.jks) If you use these certificates for SSO authentication, you must manually replace the existing keystores with new, compliant versions that are supplied with ActiveMatrix BPM 4.3.

Note: The ActiveMatrix BPM SSO certificates in the default keystores are only intended for demonstration or testing purposes. They are not intended for use in a production environment.

The new keystores are not installed automatically as part of an upgrade, because doing so would overwrite any other certificates that you may have written to those keystores.

You only need to perform this step if you use the existing ActiveMatrix BPM SSO certificates in the default keystores, and if you are upgrading from ActiveMatrix BPM version 4.1 or earlier. If you use your own certificates and different keystores, you do not need to do anything.

Procedure

  • Copy the amx-bpm-wss-keystore.jks and amx-bpm-wss-truststore.jks keystore files from the TIBCO_HOME\bpm\4.3\scripts\deployer\templateFiles folder to the CONFIG_HOME\bpm\bpmApplicationName\keystores folder.
    Note: This will overwrite any other certificates in these keystores that you have added/replaced, and you will need to add/replace those certificates yourself.