This document describes the steps
necessary to replace the certificates in IBM WebSphere Application Server V6.1
when the certificates have expired or if the nodes are out of sync.
Answer
This is meant to be used ONLY for V6.1.
Do NOT try to follow these instructions on any newer versions of WebSphere.
NOTE: This document assumes that you are
using a default configuration. If you have made modifications to your SSL
configurations you will need to take these changes into account. For example,
additional steps will be required if you have enabled client authentication on
the application servers.
1. Run backupConfig on the Deployment Manager.
2. This step is optional. It
only needs to be performed if you are running at level previous to 6.1.0.23 and
the nodes are still in sync. You do not need to stop the nodeagent(s) and
appserver(s) if you are at or above this level and the nodes are in sync.
Stop all of the nodeagents and
application servers in the cell. Stop the Web
server(s). Start the Deployment Manager.
3. Replace the Deployment Manager
certificate.
i. In the Administrative Console, go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate
ii. Enter the required attributes.
Alias : cell_default
Common name : <hostname>
Validity period : <number of days> <-- this can be set greater than 365
Organization : <company>
Click OK and Save the changes.
iii. Return to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
iv. Select the old certificate and click Replace.
v. On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
vi. On the next screen, select the old certificate and click Delete. Click OK and Save the changes.
At this point the Deployment Manager has its certificate replaced.
Common name : <hostname>
Validity period : <number of days> <-- this can be set greater than 365
Organization : <company>
Click OK and Save the changes.
iii. Return to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
iv. Select the old certificate and click Replace.
v. On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
vi. On the next screen, select the old certificate and click Delete. Click OK and Save the changes.
At this point the Deployment Manager has its certificate replaced.
4. Add the Deployment Manager signer certificate to the CellDefaultTruststore.
i. Go to SSL certificate and key management > Key
stores and certificates.
ii. Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
iii. Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add.
Click OK and Save the changes.
ii. Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
iii. Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add.
Click OK and Save the changes.
5. Replace the certificate on the node(s).
This step will need to be done for each node in the cell.
i. Go to Security > SSL certificate and key
management > Manage endpoint security configurations.
ii. Under Inbound, click the link for the node, node_name (NodeDefaultSSLSettings,null).
iii. Click the Manage certificates button.
iv. Click Create a self-signed certificate.
v. Enter the required attributes.
Alias : nodeX_default <-- where X is the node number
Common name : <hostname>
Validity period : <number of days> <-- this can be set greater than 365
Organization : <company>
Click OK and Save the changes.
vi. Return to Security > SSL certificate and key management > Manage endpoint security configuration s, click node_name (NodeDefaultSSLSettings,null), clickManage certificates.
vii. Select the old certificate and click Replace.
viii. On the next screen, you are able to choose which certificate will replace the old
certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers.
ix. On the next screen, select the old certificate and click Delete. Click OK and save the changes.
ii. Under Inbound, click the link for the node, node_name (NodeDefaultSSLSettings,null).
iii. Click the Manage certificates button.
iv. Click Create a self-signed certificate.
v. Enter the required attributes.
Alias : nodeX_default <-- where X is the node number
Common name : <hostname>
Validity period : <number of days> <-- this can be set greater than 365
Organization : <company>
Click OK and Save the changes.
vi. Return to Security > SSL certificate and key management > Manage endpoint security configuration s, click node_name (NodeDefaultSSLSettings,null), clickManage certificates.
vii. Select the old certificate and click Replace.
viii. On the next screen, you are able to choose which certificate will replace the old
certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers.
ix. On the next screen, select the old certificate and click Delete. Click OK and save the changes.
6. Add the Node signer certificate to the CellDefaultTruststore.
This step will need to be done for each node in the cell.
i. Go to Security > SSL certificate and key
management > Manage endpoint security configurations.
ii. Under Inbound, click the link for the node, node_name (NodeDefaultSSLSettings,null)and select Key stores and certificates.
iii. Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
iv. Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
Click OK and Save the changes.
ii. Under Inbound, click the link for the node, node_name (NodeDefaultSSLSettings,null)and select Key stores and certificates.
iii. Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
iv. Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
Click OK and Save the changes.
7. Repeat steps 5 and 6 for each node in the cell.
8. Delete the old signer certificates and extract the new ones.
i. Go to SSL certificate and key management > Key
stores and certificates > CellDefaultTrustStore > Signer certificates
ii. Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
iii. Select one of the new certificates. Click Extract.
iv. Enter a File Name that corresponds to the certificate. For example, node1.arm. ClickOk.
v. Repeat iii. and iv. for each of the new certificates making sure you have done this for thecell signer and all of the node signers. These files are saved to the profile_root/Dmgr/ directory.
ii. Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
iii. Select one of the new certificates. Click Extract.
iv. Enter a File Name that corresponds to the certificate. For example, node1.arm. ClickOk.
v. Repeat iii. and iv. for each of the new certificates making sure you have done this for thecell signer and all of the node signers. These files are saved to the profile_root/Dmgr/ directory.
9. Manually copy the trust store to each of the /etc directories.
i. Backup the trust.p12 in profile_root \Dmgr\etc
ii. Copy the profile_root \Dmgr\config\cells\ cell-name \trust.p12 to profile_root\Dmgr\etc
iii. Backup the trust.p12 on each of the nodes profile_root \Appsrv\etc directories.
iv. Copy the profile_root \Dmgr\config\cells\ cell-name \trust.p12 to profile_root\Appsrv\etc
v. Repeat the previous step for each node in the cell.
ii. Copy the profile_root \Dmgr\config\cells\ cell-name \trust.p12 to profile_root\Dmgr\etc
iii. Backup the trust.p12 on each of the nodes profile_root \Appsrv\etc directories.
iv. Copy the profile_root \Dmgr\config\cells\ cell-name \trust.p12 to profile_root\Appsrv\etc
v. Repeat the previous step for each node in the cell.
10. This step is optional. It only needs to be performed if you are running at a level previous to 6.1.0.23. You do not need to stop the nodeagent(s) and appserver(s) if you are at or above this level.
i. Restart the Deployment
Manager.
ii. Run a command line syncNode from each of the nodes.
iii. Start the nodeagents and application servers. They should now be fully synchronized with the new certificates in place.
ii. Run a command line syncNode from each of the nodes.
iii. Start the nodeagents and application servers. They should now be fully synchronized with the new certificates in place.
11. Propagate the signer certificate(s) to plug-in(s).
i. Go to Servers > Web servers. Click webserver_name, then
under Additional Properties click Plug-in properties.
IMPORTANT NOTE : Depending on your configuration you may or may not be able to perform the next 3 steps with the console. If the fields are greyed out and you are unable to manage your plugin-key.kdb from the console you will need to use IKEYMAN to manually add the certificates from step 8. iv. to the Web server plugin-key.kdb file and then continue at step 11 v.
ii. Click Manage keys and certificates under Additional Properties, click Signer certificates and then click Add.
iii. Enter a unique Alias Name and then specify the File Name that you created in step 8. iv.
iv. Repeat this for each of the new certificates making sure you have done this for the cell signer and all of the node signers.
v. Manually copy the plugin-key.kdb from the local configuration to the Web server.
Default local configuration location:
profile_root \Dmgr\config\cells\ cell-name \nodes\ node-name \servers\ web-server-name \plugin-key.kdb
Default Web server location:
Web-server-root \Plugins\config\ web-server-name \plugin-key.kdb
Note: You can also determine the location from the Plug-in properties page in step i.
vi. Repeat steps i. to v. for each Web server if you have more than one.
vii. Start the Web server(s).
IMPORTANT NOTE : Depending on your configuration you may or may not be able to perform the next 3 steps with the console. If the fields are greyed out and you are unable to manage your plugin-key.kdb from the console you will need to use IKEYMAN to manually add the certificates from step 8. iv. to the Web server plugin-key.kdb file and then continue at step 11 v.
ii. Click Manage keys and certificates under Additional Properties, click Signer certificates and then click Add.
iii. Enter a unique Alias Name and then specify the File Name that you created in step 8. iv.
iv. Repeat this for each of the new certificates making sure you have done this for the cell signer and all of the node signers.
v. Manually copy the plugin-key.kdb from the local configuration to the Web server.
Default local configuration location:
profile_root \Dmgr\config\cells\ cell-name \nodes\ node-name \servers\ web-server-name \plugin-key.kdb
Default Web server location:
Web-server-root \Plugins\config\ web-server-name \plugin-key.kdb
Note: You can also determine the location from the Plug-in properties page in step i.
vi. Repeat steps i. to v. for each Web server if you have more than one.
vii. Start the Web server(s).
No comments:
Post a Comment