Extend expiration of default WebSphere v7.0 plugin SSL certificate?
How do I extend the life of the default certificate used by the web server plugin for WebSphere Application Server 7.0 to be longer than 1 year? This is the key that resides in:
\profiles\<server>\config\
\profiles\<server>\config\
ahoffmann
you need a new cert from your issuer
ASKER
This is the certificate signed by the root certificate of the WebSphere installation. Not third party.
Basically the default cert from Websphere has a life of 1 year. I want to give it something like 10 years.
Basically the default cert from Websphere has a life of 1 year. I want to give it something like 10 years.
Use the ikeyman utility to generate a new self-signed certificate with a duration for as long as you want it.
http://www.IBM.com/support/docview.wss?uid=swg21045925
http://www.IBM.com/support/docview.wss?uid=swg21045925
ASKER
Ok, thank you. Since WAS and the Plugin are both serving up certificates with a 1 year life, would I do the following?
WAS Server
Create a new certificate in \AppServer\Profiles\AppSrv
I matched up that the certificate used over 9443 lives in this repository. I should then extrat the certificate, and import to the SSL respository on the WAS Plugin server:
\IBM\WebSphere\Plugins\etc
Correct?
WAS Plugin Server
Create a new certificate in its respective repostory, extract the new cert, import into the following on the WAS Server:
\AppServer\Profiles\AppSrv
The stores have changed just enough on me between versions, I'm not exactly sure if I'm pointing at the rights ones or not. I don't want to install SSL certs in all of the repositories either, trying to hunt down the right one.
WAS Server
Create a new certificate in \AppServer\Profiles\AppSrv
I matched up that the certificate used over 9443 lives in this repository. I should then extrat the certificate, and import to the SSL respository on the WAS Plugin server:
\IBM\WebSphere\Plugins\etc
Correct?
WAS Plugin Server
Create a new certificate in its respective repostory, extract the new cert, import into the following on the WAS Server:
\AppServer\Profiles\AppSrv
The stores have changed just enough on me between versions, I'm not exactly sure if I'm pointing at the rights ones or not. I don't want to install SSL certs in all of the repositories either, trying to hunt down the right one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes this helps, thanks. I'll give it a go here shortly. I've done this with WAS 6, but this is my first WAS 7 installation, and there seems to be more SSL repositories than other versions. Maybe I'm just not keeping things as straight.
ASKER
Even though IBM Key Management is treating key.p12 as a multiple certificate repository, its not, is it? This is where the WebSphere server has the certificate that used for 9443 traffic. Do I need to create a new repository and assign it in the Admin console, or can I continue to use key.p12 with a new self-signed certificate?
You can continue to use the key.p12 with self-signed certs.
ASKER
OK, I tried, restarted the server, and am still seeing the old certificate. I even tried deleting the old certificate from the .p12 file. I'm not sure what I am missing yet.
ASKER
Scratch that. Locally, I see the right certificate on 9443. On the WebSphere Plugin server, 9443 traffic is showing the old certificate. Must be caching somewhere...
ASKER
Now I don't see the right certificate locally. I think I'm loosing my marbles. :)
When you use iKeyman to manage the certificates in your keystore, which certificate is identified as the default?
Most of the time, it is marked / indicates with an asterisk '*'
Is it the one you expect?
Is this the web server certificate, or the AppServer cert?
When the web server (via the plugin), issues a connection request to the AppServer using SSL, we would expect to see a number of messages sent between the Web Server, and the AppServer. This is the handshaking that is used to negotiate the appropriate level of security, and exchange certificate information so that each party can authenticate the other.
Does this make sense?
Most of the time, it is marked / indicates with an asterisk '*'
Is it the one you expect?
Is this the web server certificate, or the AppServer cert?
When the web server (via the plugin), issues a connection request to the AppServer using SSL, we would expect to see a number of messages sent between the Web Server, and the AppServer. This is the handshaking that is used to negotiate the appropriate level of security, and exchange certificate information so that each party can authenticate the other.
Does this make sense?
ASKER
I had to step away for a little, and I'm glad I did. I realized I was working with:
\AppServer\profiles\AppSrv
And I should have been working with:
${CONFIG_ROOT}/cells/QA-WS
This corresponds with the NodeDefaultKeyStore in the WAS Admin Console. Unfortunately, I don't understand why there are so many keystores created in multiple formats for a default installation of Express.
Now I'll try to get the Plugin to trust the new WAS cert, and do the same operation for the Plugin certificate.
\AppServer\profiles\AppSrv
And I should have been working with:
${CONFIG_ROOT}/cells/QA-WS
This corresponds with the NodeDefaultKeyStore in the WAS Admin Console. Unfortunately, I don't understand why there are so many keystores created in multiple formats for a default installation of Express.
Now I'll try to get the Plugin to trust the new WAS cert, and do the same operation for the Plugin certificate.
ASKER
Oh, also, neither had an asterisk. I'm not sure why. I remember seeing an option to set a certificate as the default before, but I'm not now. I'm not sure why.
I think that if only one cert in the keystore is "valid" (has expired), then that will be the implied default.
ASKER
I reset key.p12 to have the original, default certificate as well. Then I created a new self-signed certificate. Somewhere I'm missing the ability to set a default. Can you remind me how? The one named "waswebcontainer" is the certificate I made.
screenshot.png
screenshot.png
ASKER
Ahhh, when the store format is CMS, I see the option to set as default under View/Edit. I don't see this in PKCS12 stores.
Sorry for not remembering that distinction.
ASKER
Thank you for your help!
Thanks for the grade & points.
I'm glad to have been able to help.
Good luck & have a great day.
By the way, you might be interested in http://WASscripting.com
I'm glad to have been able to help.
Good luck & have a great day.
By the way, you might be interested in http://WASscripting.com