<

Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x

Convert/Replace existing websphere default chained Certificates from 1024 to 2048 keysize and also signatureAlgorithm

Published on
6,615 Points
3,615 Views
Last Modified:
Convert websphere application server default chained Certificates from 1024 to 2048 keysize or higher size and also you can change signatureAlgorithm .

Please make sure Websphere Application Server fixpack 7.0.0.23 or Above. The following steps applicable only on Websphere Application server fixpack 7.0.0.23 or Above


During installation of Websphere Application Server v7.0 it comes default keystore and root CA has default 1024 bit key size. With this approach, you upgrade the root CA key size to a 2048 bit root certificate and it will increase level of security for vulnerabilities

Please see the following steps.

NOTE: This document assumes that you are using a default SSL configuration and Default SSL keystores.

1) Run backupConfig on the Deployment Manager.
backupConfig command

You can use backupconfig -nostop
-nostop
    Tells the backupConfig command not to stop the servers before backing up the configuration

C:\WebSpherev7.0.0.23\profiles\Dmgr01\bin>wsadmin

The following  command update key size and algorithm

$AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -signatureAlgorithm SHA256withRSA -keySize 2048 }

The following command update key size

$AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -keySize 2048 }

The following command save the above configuration changes.

$AdminConfig save

The above Command will update and replace all default certificate that comes in websphere application server  with a new 2048 bit  key size  for example files key.p12 for cell and node, trust.p12, root-key.p12..etc

Example Path:

\WebSphere_Install\profiles\ND-DMGR-Profile\config\cells\cellName\key.p12  
\WebSphere_Install\profiles\ND-DMGR-Profile\config\cells\cellName\trust.p12  
\WebSphere_Install\profiles\ND-DMGR-Profile\config\cells\cellName\nodes\CellManaager(dmgr)\root-key.p12

Go to Adminconsole and check the default certificate

SSL certificate and keymanagement > Keystores and certificates >  celldefaultkeystore/Nodedefaultkeystore > personal certificate > click default

You will see key size changed from 1024 to 2048 and also algorithm from SHA1withRSA to SHA256withRSA

Make sure Sync the nodes with dmgr. From the Adminconsole expand System Administration > click on nodes > Fully synchronized

Restart the complete websphere Application server. such as dmgr, nodeagent and all application server.

You need to manually copy the trust store to each of the /etc directories. Which is required for Client operations such as stopdmgr, wsadmin syncnode, serverstatus commands...etc
    
Backup the trust.p12 in profile_root\Dmgr\etc

Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 ( example path : \WebSphere_Install\profiles\ND-DMGR-Profile\config\cells\cellName\trust.p12)

If you have SSL between Plugin and websphere application server then you have to propagated the plugin-keykdb from webspere adminconsole or you have to add new websphere root certificate under signer certificate of plugin-key.kdb because the above change will update the websphere root CA certificate with new serial number.
 
0
Comment
Author:AdminRAM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Author Comment

by:AdminRAM
It is useful document for converting existing cert because if you are using 1024 key size certificates then security scan tool might fail.
0
 
LVL 41

Expert Comment

by:HonorGod
Technically, one can not "convert" a certificate (not even the expiration date).  Only a new certificate can be generated, or requested from a Certificate Authority (CA).
0
 
LVL 8

Author Comment

by:AdminRAM
convert option will generated new cert and replace automatically and it will still remain WAS default certificate which will be monitor by certificate expiration monitor tool in WAS.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Join & Write a Comment

In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month