Show Contents / Index / Search

Upgrade Digital Certificates used by Reflection X Advantage Domains

Digital certificates are used in domain mode for authenticating domain nodes and the domain controller. Starting with version 5.0, these certificates use a more secure signing algorithm. If you have upgraded from an earlier version, the domain continues to use your prior version certificates and logs the following warning message in the rxs.log file:

[WARN]: The domain root certificate generated by an earlier version of Reflection X Advantage is signed using the SHA1withRSA algorithm. Current versions create certificates signed using the more secure SHA-256 RSA algorithm. You can upgrade certificates by removing existing certificates.

If you run in FIPS mode, you must upgrade your domain to use the more secure certificates before you can log into the domain. Until you upgrade the certificates, attempts to log into the domain will fail with the message "Authentication with the domain failed." The domain.log file will include a warning entry saying that the connection was rejected because the domain is set for FIPS mode, but has a public key of insufficient length. Use the procedure below to resolve this issue.

To upgrade your domain to use SHA-256 RSA certificates

  1. Stop the Attachmate Reflection X Service on the domain controller and on any domain nodes.
  2. Locate the Reflection X Service configuration files on the domain controller and all domain nodes. The certificates are located in the conf subfolder. Delete all certificates (*.cer) and any associated private key files (same base file name as a certificate with no file extension) from the controller and nodes.

    Note: Do not delete the *.xml files in the conf folder.

  3. Restart the service on the domain controller and nodes. This step generates new certificates and keys to replace the ones you deleted.
  4. Log onto X Administrative Console and delete all node definitions. (These will all have a red slash through them indicating that they are not available.)
  5. On each node, use rxsconfig to leave the domain. You should see a message like the following:

    Unable to remove node 0.0.0.0:22001 from domain domainname. Proceeding with local deletion.

    Deleted node 0.0.0.0:22001 for domain domainname

  6. Use rxsconfig to rejoin each node to the domain.