Renew OTDS certificate

Manually renew certificate:

open the url: https://otds_app_host-app02/otdsws/rest/systemconfig/certificate_content

and make a single line, and paste to the file: otdsauth.properties located at D:\Documentum\tomcat9.0.85\webapps\OTDSAuthentication\WEB-INF\classes in Content Server.

Below is the screenshot:

Restart JMS.

Verify – your application must work.

In general, how long is a new OTDS certificate valid for?

If you save the certificate to a file in Windows with a .cer extension, then you can check the expiration date and time. That said OTDS will automatically generate a new certificate exactly 4 weeks prior to that expiration date.

How to configure as auto-renew:

using chrome, hit this url at OTDS server to ensure you see the following screen:

Please note: if the above is not working, ensure that GET command is working:

now, go to CS, and add the following lines to otdsauth.properties file:

auto_cert_refresh=true
cert_jwks_url=https://lvdmsprdapp02/otdsws/oauth2/jwks

then, restart JMS. Repeat the last step to all CS.

2 thoughts on “Renew OTDS certificate

  1. Original error:

    2024-11-13 12:37:01.713|INFO |[main]|DirSyncFactory||DirSyncFactory::startTenantPartitions: Running as Synchronization Master Host
    2024-11-13 12:37:01.738|INFO |[main]|OtdsServletContext||=============================================================================================
    2024-11-13 12:37:01.739|INFO |[main]|OtdsServletContext||OTDS STARTED
    2024-11-13 12:37:01.739|INFO |[main]|OtdsServletContext||=============================================================================================
    2024-11-13 12:37:02.356|INFO |[pool-9-thread-1]|DirSyncEngine||DirSyncEngine::pingConnections: Partition: connected to server: ldaps://lvdc1
    2024-11-13 12:37:02.735|INFO |[https-openssl-nio-443-exec-6]|OtdsSessionCache||OTDS Session Cache Cleaner started
    2024-11-13 12:37:02.744|INFO |[DirSyncEngine ]|DirSyncEngine||DirSyncEngine::Run: Partition – Activated.
    2024-11-13 12:37:04.682|INFO |[pool-15-thread-1]|SPSCTSLicenseManager||Loading license keys…
    2024-11-13 12:37:04.684|INFO |[pool-15-thread-1]|SPSCTSLicenseManager||License keys loaded.
    2024-11-13 12:37:06.856|INFO |[https-openssl-nio-443-exec-1]|OtdsAsConfig||OTDS-AS keystore loaded
    2024-11-13 12:42:01.059|INFO |[pool-15-thread-1]|ExpiryNotifier||Scheduling frequency for SPS expiry notification checking: 24 hours
    2024-11-13 14:04:13.042|INFO |[http-nio-8090-exec-10]|Registry||Oracle EBS authentication handler is not available
    2024-11-13 14:08:24.688|WARN |[https-openssl-nio-443-exec-8]|SAML2Handler||Error processing SAML response. Response: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZ
    com.opentext.otds.OtdsException: missing nonce cookie – check for hostname inconsistency
    at com.opentext.otds.as.drivers.saml.SAML2Handler.processAssertionResponse(SAML2Handler.java:1828) ~[otds-as-as-22.4.0.jar:22.4.0]
    at com.opentext.otds.as.drivers.saml.SAML2Handler.processAuthResponse(SAML2Handler.java:1907) [otds-as-as-22.4.0.jar:22.4.0]
    at com.opentext.otds.as.drivers.saml.SAML2Handler.process(SAML2Handler.java:2496) [otds-as-as-22.4.0.jar:22.4.0]
    at com.opentext.otds.as.OtdsAuthenticationManager.authenticate(OtdsAuthenticationManager.java:1143) [otds-as-as-22.4.0.jar:22.4.0]
    at com.opentext.otds.auth.ASHTTPService.handleAuthenticationRequest(ASHTTPService.java:847) [otds-auth-22.4.0.jar:22.4.0]
    at com.opentext.otds.auth.ASHTTPService.service(ASHTTPService.java:1051) [otds-auth-22.4.0.jar:22.4.0]
    at com.opentext.otds.auth.AsServlet.service(AsServlet.java:30) [otds-auth-22.4.0.jar:22.4.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:223) [catalina.jar:10.0.11]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) [catalina.jar:10.0.11]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) [tomcat-websocket.jar:10.0.11]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) [catalina.jar:10.0.11]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) [catalina.jar:10.0.11]
    at com.opentext.otds.as.TenantFilter.doFilter(TenantFilter.java:223) [otds-as-as-22.4.0.jar:22.4.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) [catalina.jar:10.0.11]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) [catalina.jar:10.0.11]
    at com.opentext.otds.as.CorsFilter.doFilter(CorsFilter.java:117) [otds-as-as-22.4.0.jar:22.4.0]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185) [catalina.jar:10.0.11]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158) [catalina.jar:10.0.11]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [catalina.jar:10.0.11]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [catalina.jar:10.0.11]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) [catalina.jar:10.0.11]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119) [catalina.jar:10.0.11]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:10.0.11]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) [catalina.jar:10.0.11]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:10.0.11]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353) [catalina.jar:10.0.11]
    at org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:413) [tomcat-coyote.jar:10.0.11]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:10.0.11]
    at org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:74) [tomcat-coyote.jar:10.0.11]
    at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35) [tomcat-coyote.jar:10.0.11]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:10.0.11]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:10.0.11]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:10.0.11]
    at java.lang.Thread.run(Thread.java:829) [?:?]

  2. Troubleshooting:
    otdsws login. Works. Attempt to check dev tools.
    Cookies ahve secure checked but no same site.
    Checked otds url. HTTPS works.
    Might be certificate issue.
    Checking otdsauth.log.
    Error.
    Checking otdsauth.properties.
    certificate.
    Go to URL. Copy certificate out.
    Update all 3 Documentum Server hosts.
    Restart JMS on each after the change.
    After they were able to login to their XCP application with SSO.

Leave a Reply

Your email address will not be published. Required fields are marked *