Extend expiration of default WebSphere v7.0 plugin SSL certificate?

jessc7
jessc7 used Ask the Experts™
on
How do I extend the life of the default certificate used by the web server plugin for WebSphere Application Server 7.0 to be longer than 1 year? This is the key that resides in:

\profiles\<server>\config\cells\<cellname>\nodes\<nodename>\servers\<servername>\plugin-key.kbd
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you need a new cert from your issuer

Author

Commented:
This is the certificate signed by the root certificate of the WebSphere installation. Not third party.

Basically the default cert from Websphere has a life of 1 year. I want to give it something like 10 years.
HonorGodSoftware Engineer

Commented:
Use the ikeyman utility to generate a new self-signed certificate with a duration for as long as you want it.

http://www.IBM.com/support/docview.wss?uid=swg21045925
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
Ok, thank you. Since WAS and the Plugin are both serving up certificates with a 1 year life, would I do the following?
WAS Server
Create a new certificate in \AppServer\Profiles\AppSrv01\etc\key.p12
I matched up that the certificate used over 9443 lives in this repository. I should then extrat the certificate, and import to the SSL respository on the WAS Plugin server:
\IBM\WebSphere\Plugins\etc\plugin-key.kdb
Correct?
WAS Plugin Server
Create a new certificate in its respective repostory, extract the new cert, import into the following on the WAS Server:
\AppServer\Profiles\AppSrv01\etc\trust.p12
The stores have changed just enough on me between versions, I'm not exactly sure if I'm pointing at the rights ones or not. I don't want to install SSL certs in all of the repositories either, trying to hunt down the right one.
Software Engineer
Commented:
When you create a cert for a server (either the web server, or the application server), you keep the "private" portion only on that server.

The "public" portion, you provide to "client" machines that need to authenticate your server as "known, and trusted".

So, you:
- Create a new Web server cert
- Export the "public" portion
- send/transport it to the AppServer

- Create a new AppServer cert
- Export the "public" portion
- send/transport it to the Web Server

- On the Web Server, you "Import" the "AppServer public key" into the trust store

- On the AppServer, you "Import" the "Web Server publick key" into the trust store

Remember!
- If you have a valid certificate in the server keystore, it will continue to be used until it expires, UNLESS you change the "default" certificate to be used.

So, for each server, remember to select the appropriate certificate as default while you are working with the keystore.

Restart both servers (thus reloading their certificates)

You should be able to connect from the client (web server) to the AppServer successfully.

Does this help?

Author

Commented:
Yes this helps, thanks. I'll give it a go here shortly. I've done this with WAS 6, but this is my first WAS 7 installation, and there seems to be more SSL repositories than other versions. Maybe I'm just not keeping things as straight.

Author

Commented:
Even though IBM Key Management is treating key.p12 as a multiple certificate repository, its not, is it? This is where the WebSphere server has the certificate that used for 9443 traffic. Do I need to create a new repository and assign it in the Admin console, or can I continue to use key.p12 with a new self-signed certificate?
HonorGodSoftware Engineer

Commented:
You can continue to use the key.p12 with self-signed certs.

Author

Commented:
OK, I tried, restarted the server, and am still seeing the old certificate. I even tried deleting the old certificate from the .p12 file. I'm not sure what I am missing yet.

Author

Commented:
Scratch that. Locally, I see the right certificate on 9443. On the WebSphere Plugin server, 9443 traffic is showing the old certificate. Must be caching somewhere...

Author

Commented:
Now I don't see the right certificate locally. I think I'm loosing my marbles. :)
HonorGodSoftware Engineer

Commented:
When you use iKeyman to manage the certificates in your keystore, which certificate is identified as the default?

Most of the time, it is marked / indicates with an asterisk '*'

Is it the one you expect?

Is this the web server certificate, or the AppServer cert?

When the web server (via the plugin), issues a connection request to the AppServer using SSL, we would expect to see a number of messages sent between the Web Server, and the AppServer.  This is the handshaking that is used to negotiate the appropriate level of security, and exchange certificate information so that each party can authenticate the other.

Does this make sense?

Author

Commented:
I had to step away for a little, and I'm glad I did. I realized I was working with:

\AppServer\profiles\AppSrv01\etc\key.12

And I should have been working with:

${CONFIG_ROOT}/cells/QA-WS-03Node01Cell/nodes/QA-WS-03Node01/key.p12

This corresponds with the NodeDefaultKeyStore in the WAS Admin Console. Unfortunately, I don't understand why there are so many keystores created in multiple formats for a default installation of Express.

Now I'll try to get the Plugin to trust the new WAS cert, and do the same operation for the Plugin certificate.

Author

Commented:
Oh, also, neither had an asterisk. I'm not sure why. I remember seeing an option to set a certificate as the default before, but I'm not now. I'm not sure why.
HonorGodSoftware Engineer

Commented:
I think that if only one cert in the keystore is "valid" (has expired), then that will be the implied default.

Author

Commented:
I reset key.p12 to have the original, default certificate as well. Then I created a new self-signed certificate. Somewhere I'm missing the ability to set a default. Can you remind me how? The one named "waswebcontainer" is the certificate I made.
screenshot.png

Author

Commented:
Ahhh, when the store format is CMS, I see the option to set as default under View/Edit. I don't see this in PKCS12 stores.
HonorGodSoftware Engineer

Commented:
Sorry for not remembering that distinction.

Author

Commented:
Thank you for your help!
HonorGodSoftware Engineer

Commented:
Thanks for the grade & points.

I'm glad to have been able to help.

Good luck & have a great day.

By the way, you might be interested in http://WASscripting.com

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial