3.1 Monitoring the expiry of system credentials

MyID keeps track of the expiry dates of the Windows user accounts used to run the MyID components and services, and the certificates used to secure the MyID services. The system tracks the expiry of the account passwords and the accounts themselves. The status and expiry date of each of these items is listed on the System Credentials page of the System Status report.

Note: When you first install MyID, this table will be blank. The expiring item features runs to a schedule (by default, every day at 0300 UTC – see section 3.1.5, Changing the schedule) – this table is populated the first time the system checks the expiry of the accounts and certificates.

The Status column displays Active for all credential or certificates that are being monitored, and Superseded for any credential or certificate that has been replaced; for example, if you renew the email signing certificate, it creates a new entry for the new certificate, and lists the old certificate with a status of Superseded.

MyID also sends notification email messages for expiring and expired user accounts and certificates.

The following email templates are used:

You can use the Email Templates workflow to edit the content of these email messages. You must set up email in MyID to allow the system to send these messages – see section 5, Setting up email for details.

3.1.1 The monitoring services

The services that monitor expiring items run on each MyID application server and web server. There is one service for each user account, with the following names:

Each service monitors its account and certificates, and does so whether it is in the same domain as the rest of the system or it is in a web server in a DMZ.

The MyID Expiring Items: Web and MyID Expiring Items: Mws services check SSL/TLS certificates on the servers on which they are running, and the iOS OTA signing certificate, if that feature is configured.

The MyID Expiring Items: App service checks all other certificates.

3.1.2 Monitored system credentials

The system credential monitoring system checks the status of the following user accounts and certificates:

Item

Requirements

More information

MyID COM+ user account

 

See the Setting up user accounts section in the Installation and Configuration Guide.

MyID IIS user account

 

See the Setting up user accounts section in the Installation and Configuration Guide.

MyID web service user account

 

See the Setting up user accounts section in the Installation and Configuration Guide.

PIV CHUID Signing Certificate

PIV only

See the Configure server signing certificates section of the PIV Integration Guide.

PIV CBEFF Signing Certificate

PIV only

See the Configure server signing certificates section of the PIV Integration Guide.

PIV Security Object Signing Certificate

PIV only

See the Configure server signing certificates section of the PIV Integration Guide.

Signing Certificate

PIV only; also requires a custom patch

Monitored only on customized systems.

iOS OTA Signing Certificate

Available if your system is configured for iOS OTA.

See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

Mobile Signing Certificate

Available if your system is configured for mobile issuance.

See the Setting the content signing certificate section in the Mobile Identity Management document for details.

SCEP Signing Certificate

Available if your system is configured for SCEP.

See the Signing and encryption certificates for SCEP section in the Administration Guide.

SCEP Encryption Certificate

Available if your system is configured for SCEP.

See the Signing and encryption certificates for SCEP section in the Administration Guide.

Email Signing Certificate

Available if you have configured email signing.

See section 5.1, Signing email messages in this document.

MS Certificate Services Enrollment Agent

Available if you are using a Microsoft CA.

See the Enrollment Agent certificate section in the Microsoft Windows CA Integration Guide.

MS Certificate Services Key Recovery Agent

Available if you are using a Microsoft CA.

See the Encryption key recovery section in the Microsoft Windows CA Integration Guide.

Generic Certificate Authority

Available if you are using any supported certificate authority where MyID is configured to use a certificate to connect to the CA.

See the integration guide for your certificate authority.

MyID IIS Web Site Certificate

Available if you have configured the MyID web site to use https.

See the Configuring SSL/TLS (HTTPS) section in the Securing Websites and Web Services guide.

Notification SSL Certificate

Available only on systems that have been customized to use SSL/TLS for notifications.

See the additional documentation provided with your customization.

Signing Certificate

Available if you have set up a CVC signing certificate for OPACITY.

See the Setting up OPACITY section in the Smart Card Integration Guide.

3.1.3 Changing service account passwords

If you need to change the password for the MyID COM+, IIS, or web service user accounts, you can use the Password Change Tool. See the Password Change Tool guide for details.

3.1.4 Replacing expiring certificates

See the instructions in the MyID documentation that you followed to set up the certificate originally. Make sure you pay attention to any additional instructions for replacing certificates; for example, for the Enrollment Agent certificate on a Microsoft CA, you must move the old certificate out of the certificate store before you can replace it.

3.1.5 Changing the schedule

By default, the monitoring service runs once a day at 0300 UTC. If you need to change this, you can edit the ExpiringItemsServiceSchedule table in the MyID database. Set the StartTime to the time in UTC that you want the service to run, using the format HH:MM:SS, and the ThenEvery field to the number of days between each run.

For example, to set the service to run once a week at 0630 UTC:

Update ExpiringItemsServiceSchedule set StartTime = '06:30:00', ThenEvery = 7

The services will pick up the new schedule the next time they run – that is, at the old start time. If you want the service to pick up the new schedule immediately, restart the services.