PowerProtect: Certificate Authority (CA) functionality with PPDM

Prerequisite:

1. Deploy latest PPDM OVA (19.17 or 19.16 patch 2)
2. Complete the UI installation

Note:  This workflow can only be performed on PPDM in Day 1 configuration.

Day 1 configuration is when the ICA replacement is only supported with a fresh install for R16 Patch 2 and R17 release. After deploying the PPDM OVA and configuring the appliance: Replace the ICA before adding any asset sources, registering application agents, deploying proxies, reporting, search, so on.
 

The following steps can be used to change Certificate Authority (CA) 
 
There are three options to perform the ICA replacement workflow (UI, API, or Manual). Customers are recommended to use the UI method as the other methods require specialist knowledge. 

NOTE: Before beginning the workflow, take a snapshot of the VM. If the replacement workflow fails, it will be possible to revert.

1. Option 1 UI
   1. Prepare the icakey.pem and ica.pem certificates
   2. Navigate to Administration > Certificates > Internal > Replace Certificates
   3. In the form, upload icakey.pem to Private Certificate textbox and ica.pem to Public Certificates Chain textbox, check the Intermediate Certificate Authority checkbox and click Replace

4. Monitor the progress in the log from the CLI console, it should take approx. 15 min to complete

tail -f /var/log/brs/secretsmgr/ppdm_certs_regeneration.log

(Note: The PPDM is put into Maintenance Mode during the ICA replacement, UI gets restarted however the replacement is still in progress even when UI comes back on initially, therefore the user should monitor the log file through the console to confirm that it has been completed.

After confirming the replacement completion from the log, refresh the browser and confirm that the certificate has been replaced by clicking the "Not Secure" button next to the Address bar, click Certificate is not valid option, select Details tab and confirm that the certificate is 4-level (Top 2 levels showing "Company Name" root CA, third level showing PPDM SSL ICA, while the last will be the host certificate with the corresponding PPDM hostname and signed by the PPDM SSL ICA).

Option 2 - API

1. API
   1. POST /api/v2/certificates-replacement

      {
          "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEoQIBAAKCAQEAlM6nRceKg70ZfOQB3lCguOD78Uu7dw1jhhv4gbz54gBPGNvb\n4tR2vVs9uLq0Ugrv/ryhA/mcM9LYIOsAInyb360LoHdDXrtQwjtI76dPycINtQPL\nawhzuwb9A2qQz7yhfb8r+FOdHv++FSfnTMbKjrsU5ED7xL5EH4m3R6QExBxIAbQ+\nhHT78OzYOXJ2f1vq3UfbNDp6JHaWx4X3Mdqxe9aPGpKscvgzgj8sVGkAbVBI1pja\nTnH9Kuu4+N1JYxnMLD/gxQXouQf2GEDSqRriUmjC0AZEDgjccrGrNhB4xpITGt9m\nDLPiWPcsrESbcfswKSqw+l6C+BYNyz4Yu6mjGwIDAQABAoIBAD92MH1AX7DWPR/3\np1pV/W1LOfdKqnzX32lq1V0TKGh7ZEBAR3Lh1G/mERkOuudAVeDINk0ZL0Yktdq4\nDhsnFFzcklhRdJBah1MGcJEQRCVR1oGryB1yAdUx4kaKNI77rc2QcaKamigFvl2M\nYobqQqmDXKIJmrXpxOjEVT8+0m+Fz5KlOYJBLXyPVyxx6+VYfB1ckpZimZduYvhU\nwliDbTR8TDWn3ePu+dxDJ0vn7HAueds7rl4SbHt8MJmG6X33mOddrY3Yb+IY4F8T\nhNPYApBPENmDTs6KZj2J2BH0j+LCorPXWrEZZCz+A6OFebXJVTjxgjk6so6zUoHh\nF2q44nECgYEAynu10x95J16shIS47yvg/WqnmZr+2PpHvrs3H1DG5Hnpx/MvpxWK\nqYVyoDl84E7VTpmOu/i4Xnha6PDjnC6F+QCpq3nnrkCLIoRXx4ifBfElYoTIYu6a\ne8FhKY4DvSILs1+li62EOXbESQHfug6mW0/KIxYEpotJqiqAYHA/OxECgYEAvCMm\n+vtL6cS8GZ6A0d4DJD2VE+Oa+D9M1SgDU8HdQTVxGgdAHAzLZtA02o3/rqIoB6L+\nARmzdbEbledc/KjU/rpfHFV7ZBJ9sTwxJZ8kJHFnyIEGLaQ/2HKNvGSNlqr7aIGZ\naGzOLt9ilxRC/RVk0tmQFKuIE52h+YrKLIdew2sCgYBnVOy8elJUwh7eXfEWtVjT\nWqt/Wzb1OfyFHHuL8qgdjw28KaHG7dpemqidldjhi7mVrA3IZayJIXibadtuJ9vc\n7/ameMbACVY33jwBqvokiSTf+w1cV5Hk2BIip8PGsGoyNvx/pKRWwwJ2k4s+Ix3I\neZaZgzIKYAjO23O6Q24xUQJ/TG37Z/qu3EkQIVhC/P80R4S9C1drnW4ZyH54243m\nVJdhWzGW2c5Y02vCDQei108I9BFDHy9RuH46tqtHG117KgCMovYXKpBYf6f0T1RX\nWna3sry3xdL0HPpsmhw/aPYNLGd56vJI0MHvS3DvxeDrFL1NyxfkMBPZuYaom25j\nEQKBgQCOQfWCVNRLkKU4A0XpSm28mPbE7RBAa2kOaLN+0/+QenS/N52Otm5Xxglh\nxMe6BKsixKyyKvYbIZy6cMTqlekm0QrAzQ1EmSRLjjU3XNFNP3ov1YfuES6lCTCG\nw1lx/S7PcXRdu5pNXUbIQpy6yCGsLh6m1eSTu2bf5WHLA15btw==\n-----END RSA PRIVATE KEY-----",
          "certificateChain": "-----BEGIN CERTIFICATE-----\nMIIEVzCCAz+gAwIBAgITZQAAAA34NqE9lzculAAAAAAADTANBgkqhkiG9w0BAQsF\nADCBljELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMS4wLAYDVQQL\nEyVXZWxscyBGYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMUEwPwYDVQQD\nEzhXZWxscyBGYXJnbyBVQVQgRW50ZXJwcmlzZSBDZXJ0aWZpY2F0aW9uIEF1dGhv\ncml0eSAwNyBHMjAeFw0yNDAzMDUxOTE3MzNaFw0yNDA5MDExOTE3MzNaMDcxCzAJ\nBgNVBAYTAlVTMREwDwYDVQQKEwhEZWxsIEluYzEVMBMGA1UEAxMMUFBETSBTU0wg\nSUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlM6nRceKg70ZfOQB\n3lCguOD78Uu7dw1jhhv4gbz54gBPGNvb4tR2vVs9uLq0Ugrv/ryhA/mcM9LYIOsA\nInyb360LoHdDXrtQwjtI76dPycINtQPLawhzuwb9A2qQz7yhfb8r+FOdHv++FSfn\nTMbKjrsU5ED7xL5EH4m3R6QExBxIAbQ+hHT78OzYOXJ2f1vq3UfbNDp6JHaWx4X3\nMdqxe9aPGpKscvgzgj8sVGkAbVBI1pjaTnH9Kuu4+N1JYxnMLD/gxQXouQf2GEDS\nqRriUmjC0AZEDgjccrGrNhB4xpITGt9mDLPiWPcsrESbcfswKSqw+l6C+BYNyz4Y\nu6mjGwIDAQABo4H7MIH4MB0GA1UdDgQWBBQQmJK76/JdEv7oaVoy4Vz5BGgU3TAL\nBgNVHQ8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSMEGDAWgBSNnzOv\nK+vTfkMNSXlZPsItKVaqOTBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY3JsLnVh\ndC5wa2kud2VsbHNmYXJnby5jb20vZW50VUFUMDdHMi5jcmwwUgYIKwYBBQUHAQEE\nRjBEMEIGCCsGAQUFBzAChjZodHRwOi8vY3JsLnVhdC5wa2kud2VsbHNmYXJnby5j\nb20vd2ZfZW50X1VBVF8wN19HMi5jcnQwDQYJKoZIhvcNAQELBQADggEBAEJGZIOy\nFeanvLBngWPdrb6ldyKPyurIS6xA4d0dqBg9rf/kd+aWdCqX2RduQ1rDBFFHpSEj\n8uuAOC4fsPykBogssr6UZBHXHfj6eLKZPlHBGBNMD+eGIqMXSjhB8NFZhC3Wpi5K\nk5Nz4kE+xkmYDQscjA/YUGdLmfUid3uKyTde/vkiQAxSGhdbazLyY1MCYv619JmY\n+kugGVGHFZyLMryba5aN2AvocYq7LVnTkjhAKIU/XBZtIfH9ukjBcO3GS8O3jvT0\nHxVSUlvXgTWgnzh/gFIPjeB9MX0M0qrorkVnXjFqks1Iyp4EfE0xMA39R5xpnr7P\n3yMjyIM05mN0Fgs=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFIzCCBAugAwIBAgIKYRo5WAAAAAAADjANBgkqhkiG9w0BAQsFADCBjjELMAkG\nA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBG\nYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTE7MDkGA1UEAxMyV2VsbHMgRmFy\nZ28gVUFUIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMDEgRzIwHhcNMTUw\nNDE0MTYzNjU1WhcNMjUwNDE0MTY0NjU1WjCBljELMAkGA1UEBhMCVVMxFDASBgNV\nBAoTC1dlbGxzIEZhcmdvMS4wLAYDVQQLEyVXZWxscyBGYXJnbyBDZXJ0aWZpY2F0\naW9uIEF1dGhvcml0aWVzMUEwPwYDVQQDEzhXZWxscyBGYXJnbyBVQVQgRW50ZXJw\ncmlzZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAwNyBHMjCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAMeRSOl/GPcUJ+Ta+AbmJMNdJlheXC6JhnjkaqIK\nZxYpMBgcikl6DynHiBLK92BBCdsfwzwX5vSyK1a7Us9Q3nznANLPRHjkwbrsUE+1\nq/zQhW4gDELUf1UxGRhfHEhrqebif355qyIuyhBlsYAxPsbGDtDyYZP1NvhQ9doW\nwTO05+DGDZ+a1wJJd4lX4hL4f4YMHSLLxE4yYnSargD/p/SWzsCzXVPJEcFXtAH/\nNYQAHPvbnyVkK4+dFZVh2mBGxS4YJqPTQO81eLfLclk4qfxhMHcezXoGjNP45oSu\nZweRM7FDj28uYJxT+Z4ptAlO0UQG9eL1M9ygxw5QWDC/7QkCAwEAAaOCAXcwggFz\nMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUjZ8zryvr035DDUl5WT7CLSlWqjkw\nTAYDVR0gBEUwQzBBBgtghkgBhvt7g3QAATAyMDAGCCsGAQUFBwIBFiRodHRwOi8v\nd3d3LndlbGxzZmFyZ28uY29tL3JlcG9zaXRvcnkwEgYDVR0TAQH/BAgwBgEB/wIB\nATAfBgNVHSMEGDAWgBTgCykWYjfg6E5VvlTV8FJHtEIf/TBCBgNVHR8EOzA5MDeg\nNaAzhjFodHRwOi8vY3JsLnVhdC5wa2kud2VsbHNmYXJnby5jb20vcm9vdFVBVDAx\nRzIuY3JsMHsGCCsGAQUFBwEBBG8wbTBABggrBgEFBQcwAoY0aHR0cDovL2NybC51\nYXQucGtpLndlbGxzZmFyZ28uY29tL3dmX3Jvb3RVQVQwMUcyLmNydDApBggrBgEF\nBQcwAYYdaHR0cDovL2t1cnJvcy53ZWxsc2ZhcmdvLmNvbS8wDQYJKoZIhvcNAQEL\nBQADggEBAAfcgl9ae+uy3r3f1i1Uliz2zfq3uFGTKjYIjZwBSANHiwC0zTEtV1uM\nhjKzzFr2EEkP9rRMMwO6rkW6HFqd0FMA/4vPOLjQIYwMbdOzZ96Nwi8jayUC/nG8\nqXFgFe2d0GXAv+KCRni2rjbeaUXPIESuNC0NcQfF2j+lxNMATMdHO9V/cZQJTgwb\nTXSux3346QTflwy2Q5tLGlVAWY24+qkRAtZrIIV+JqERAe9VTQB/n1TVjMkRaYna\nN1Yu/twnGkVDzfrIzR0vRP9P4WzhS+CDxa6ETVYpuqFCs3q1v7kT4/yUt1zPW89T\nSoqRj1lIGpyQ5WjeyMFxndJUcAxQhj8=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIID6jCCAtKgAwIBAgIQa3trjM5yKrFF9DkQc8L4tTANBgkqhkiG9w0BAQsFADCB\njjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNX\nZWxscyBGYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTE7MDkGA1UEAxMyV2Vs\nbHMgRmFyZ28gVUFUIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMDEgRzIw\nHhcNMTIwNzA5MTcyMDQ2WhcNMjgxMjI1MTczMDM0WjCBjjELMAkGA1UEBhMCVVMx\nFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBGYXJnbyBDZXJ0\naWZpY2F0aW9uIEF1dGhvcml0eTE7MDkGA1UEAxMyV2VsbHMgRmFyZ28gVUFUIFJv\nb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMDEgRzIwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDRsKnXacptFMAlFMGx/tb99tLsd1upkvHZEW7L8wCk\no74RuPemSceBg7+6CQVbRr+RMRKRpNH7Bj9RWPHcvGrqw6/L0YSAYJ7Dq67ktx7g\nfxkjAj7Chmk0GWTnJtc4DI5auz/Quq7WX09LGxDBSD2a3mEGU6aWmab9phFc8awA\njI0qrIQKuVj6KXaE5GSEQOKQHOJAOexDYL34EKW9dDt02/fmUFemRokk3bKCM1vM\nwBGcKSCBt5+ErRP79a0H3ySRitBw4y9xiZQ+oeU8rLosrWIc09Iu0GrehrGI04ut\nu7nsc/VzbdO2yOlfN2h7EJ8UNmNMu4wmmsBCICZjSe4fAgMBAAGjQjBAMA4GA1Ud\nDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTgCykWYjfg6E5V\nvlTV8FJHtEIf/TANBgkqhkiG9w0BAQsFAAOCAQEAGEsQ069iBxq+e4/FJqAMbY+m\n6xcViFkmtOtJAayV18mBzH4IngzA0OJrXtuv5GtEH25DFq6znqDX1aR0w1Fg7EKd\nlYNPlzRG8HW/m0Kjb2zXq2nAFbS6zOc9FxWcU0jQ2O9fHpV33RSJkYyP9nUm4U2N\nGXCmGJNL+pk6YwugL+VKb0i9IEbr193QasJsY9l++SfGffA9eOIzgIt4fLoXNYnQ\nrTK70DAnIVakHyh/b+WwhACgkKep3mb5D88NlR7vwvgOjTN45DyIy0SAwvbKVEre\nkFSCIa4pzuwJa2h+Z5h9Q3V/1Jaa9MS6kXP9jRZwogFuyt/nvyNur9uu01Yj5A==\n-----END CERTIFICATE-----",
          "ica": true
      }

   2. Monitor the progress in the log from the CLI console, it should take approx. 15 min to complete

   3. tail -f /var/log/brs/secretsmgr/ppdm_certs_regeneration.log

      The PPDM is put into Maintenance Mode in this ICA replacement workflow, and the UI shows a warning message. At some point the UI restarts, losing the warning message. The replacement is still in progress even when the UI comes back on. The user should monitor the log file through the console to confirm that it has been completed.
      
   4. Option 3 - Manual through SSH console
      1. This method requires CMD tool and .crt and .key files to be available. Contact support for further advice on this method