Managing Websphere Application Server certificates

IBM Software Group
®
Managing and Replacing WebSphere 6.1
SSL Certificates
Brett Ostrander
WebSphere® Support Technical Exchange

IBM Software Group | WebSphere software
Agenda
• Basic Design / Overview
• Default 6.1 Configuration
• Scope Settings
• Certificate Expiration Management
• Manually Replacing Certificates

Basic Design / Overview
• No longer use the Dummy keys
• Key Stores (key.p12) and Trust Stores (trust.p12) contain
– Signer Certificates
– Personal Certificates
– Personal Certificate Requests
• WebSphere® provides all of the needed key/trust stores
needed by default
• Self signed certificates are created per profile by default

Basic Design / Overview
• Certificate and key management is built into the Admin
Console
• Configurations are scoped at the level of cell, node, cluster,
node group, server...

Default Configuration
Key Stores and Trust Stores are managed via the Admin
Console and stored in the configuration repository
CellDefaultKeyStore is located in
${CONFIG_ROOT}/cells/cell_name/key.p12
CellDefaultTrustStore is located in
${CONFIG_ROOT}/cells/cell_name/trust.p12
Important: This is the Trust Store used by default in the Entire
Cell

NodeDefaultKeyStore is in
${CONFIG_ROOT}/cells/cell_name/nodes/node_name/key
.p12
NodeDefaultTrustStore is in
${CONFIG_ROOT}/cells/cell_name/nodes/node_name/trust.p1
2
NodeDefaultTrustStore is not used by default

Web Server’s KDB file is in
${CONFIG_ROOT}/config/cells/cell_name/nodes/node_name/
servers/webserver/plugin-key.kdb

Scope Settings

• SSL configurations > NodeDefaultSSLSettings

Certificate Expiration
Management
• WebSphere automatically (be default) scans all key stores
looking for certificates that will expire
• Any self-signed certificates that will expire in the next
expiration notification days will be replaced
– if automatic synchronization is disabled and outage will occur
– unmanaged webservers stop working
– communication may be broken with other servers in other cells, MQ,
etc.
– various other problems can also occur
• Consider disabling automatic certificate replacement
and generating your own certificates...

Manually Replacing Certificates
• Run backupConfig on the Deployment Manager
• Replace the Deployment Manager certificate
In the Admin Console, go to Security > SSL certificate and key
management > Key stores and certificates > CellDefaultKeyStore
> Personal certificates > Create a self-signed certificate

• Enter the required attributes and Save the changes.

• Return to Security > SSL certificate and key management > Key
stores and certificates > CellDefaultKeyStore > Personal
certificates
• Select the old certificate and Replace

• Accept your new certificate and Save

• On the next screen, select the old certificate and Delete

• Verify that a Signer Certificate was added to your
CellDefaultTrustStore for your new personal certificate

• If for any reason the Signer Certificate was not added then you can
do this manually

• Select the CellDefaultKeyStore and the CellDefaultTrustStore and
click Exchange signers...

• Select and Add the new Signer Certificate

• Replace the Node certificate
Go to Security > SSL certificate and key management > Manage
endpoint security configurations and Select the node

• Select Manage certificates

• Create a new self-signed certificate

• Enter the required attributes and Save the changes

• Return to Security > SSL certificate and key management >
Manage endpoint security configurations and Select the node
• Select Manage Certificates
• Select the old certificate and click Replace

• Return to the node Manage certificates page, select the old
certificate and Delete

• Verify that a Signer Certificate was added to your
CellDefaultTrustStore for your new Personal Certificate

• If for any reason the Signer Certificate was not added then you can
do this manually
• Select the NodeDefaultKeyStore and the CellDefaultTrustStore and
click Exchange signers...

• Delete the old Signer Certificates and Extract the new ones

• Extract each certificate

• Enter a File Name that corresponds to the certificate. For example,
node1.arm
• These files are saved to the profile_root/Dmgr/etc directory

• Add the Signer Certificates for each node to the
plugin-key.kdb
Go to Servers > Web servers> webserver_name > Plug-in
properties > Manage keys and certificates > Signer
certificates > Add

• Enter a unique Alias Name and then specify the File Name that you
created previously

• Repeat this for each of the new certificates (the cell signer and all of
the node signers)
• Manually copy the plugin-key.kdb from the local configuration to the
webserver
• Important Note: Depending on your configuration you may not be
able to perform the previous steps with the console. If the fields are
greyed out and/or you are unable to manage your plugin-key.kdb
from the console you will need to use IKEYMAN to manually add the
certificates

• For all profiles, when these self-signed certificates are
initially created they are also added into the key.p12 and
trust.p12 in the ${PROFILE_ROOT}/etc directory. These key
stores are used by clients (for example, wsadmin) started
from this profile
• These certificates provide them with the trust needed to
communicate with servers in the same profile without
requiring any signer exchanges to occur

• Whenever changes are made to the server certificates after
the initial profile creation the /etc trust.p12 will need to be
updated
• If client authentication is enabled on the server the
/etc/key.p12 will need be updated also

• Manually replace the trust.p12 in each of the /etc directories
– Copy the ${CONFIG_ROOT}/cells/cell_name/trust.p12 to the
profile_root/Dmgr/etc directory
– Copy the ${CONFIG_ROOT}/cells/cell-name/trust.p12 to the
profile_root/Appsrv/etc directory and repeat for each node in the cell
• If needed, replace the key.p12 files also
– Copy the ${CONFIG_ROOT}/cells/cell_name/key.p12 to the
profile_root/Dmgr/etc directory
– Copy the ${CONFIG_ROOT}/cells/cell-name/
node/node_name/key.p12 to corresponding
profile_root/Appsrv/etc directory and repeat for each node in the cell

Reference Articles
• IBM WebSphere Developer Technical Journal: SSL,
certificate, and key management enhancements for even
stronger security in WebSphere Application Server V6.1
• Manually Replacing SSL Certificates in V6.1

IBM Software Group
Additional WebSphere Product
Resources Discover the latest trends in WebSphere Technology and implementation, participate in
technically-focused briefings, webcasts and podcasts at:
http://www.ibm.com/developerworks/websphere/community/
Learn about other upcoming webcasts, conferences and events:
http://www.ibm.com/software/websphere/events_1.html
Join the Global WebSphere User Group Community: http://www.websphere.org
Access key product show-me demos and tutorials by visiting IBM® Education Assistant:
http://www.ibm.com/software/info/education/assistant
View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR)
tool for submitting problems electronically:
http://www.ibm.com/software/websphere/support/d2w.html
Sign up to receive weekly technical My support emails:
http://www.ibm.com/software/support/einfo.html
WebSphere® Support Technical Exchange 45

IBM Software Group
Questions and Answers
WebSphere® Support Technical Exchange 46

Managing Websphere Application Server certificates

More Related Content

What's hot

Viewers also liked

Similar to Managing Websphere Application Server certificates

Recently uploaded

Managing Websphere Application Server certificates