TLS Certificate Update Procedure

TLS Certificate Renewal

To renew or change the TLS certificate on the Shield API server after it has expired, follow these steps on the Shield API server.

  1. Log in to the Shield API server.

  2. Install the new TLS certificate.

  3. Open the Shield API installation folder:
    C:\Program Files(x86)\Ivanti\IWCShieldAPI

  4. Run the updateSSLCertificate batch file.

  5. It will launch a new wizard. Select the new certificate.

  6. Click OK and copy the URL.

    Save this URL in an accessible location as you will need it later to configure other Ivanti Workspace Control components.

    Now, follow Steps 1 to 6 again to set up the Secondary Shield API server for the Active-Passive Shield API setup. After the setup, save the Secondary Shield API server details for further configuration.

Reconfigure the Workspace Control Console and Workspace Control Agent with new Shield API details

After updating the TLS certificate on the Shield API server, follow these steps to reconfigure both the Workspace Control Console and the Workspace Control Agent with the new Shield API information to download the latest TLS certificate.

  1. Log in to the Ivanti Workspace Control Console or Workspace Control Agent machine.

  2. To reconfigure, use the command %respfdir%\svc\res.exe /configApi. The Configuration Wizard opens.

  3. Enter the new Primary Shield API URL details (URL copied in Step 6 of Section TLS Certificate Renewal).

  4. To re-configure the Secondary Shield API, enter the new Secondary API details.

  5. Click OK.

After you have completed the wizard, it will configure the Workspace Control Console and Workspace Control Agent with the new Shield API details.

Shield API Security Token Settings

The Shield API generates a security token in response to requests from the Workspace Control Console or Workspace Control Agent. It authenticates only valid domain users and issues a token with a default lifespan of 10 minutes.

Token Lifespan Configuration

You can change the token lifespan by modifying the configuration file:

  • Config file path: C:\Program Files (x86)\Ivanti\IWCShieldAPI\Ivanti.IWC.AuthorizationAPI\Web.config

  • Config Setting key name: <add key="JwtTokenLifeTimeInMinutes" value="10" />

  • Config setting value: The value is specified in minutes.

Ensure the Shield API service is restarted after modifying the configuration for the changes to take effect.