WebSphere DataPower Renewing a Certificate with an Existing Key

Question

Is it possible to renew a soon to be expired certificate with its existing key?

Cause

Certificate expiration and need to renew.

Answer

Yes, this can be done. Private keys never expire.

The first step is to navigate to Administration -> Miscellaneous -> Crypto Tools, and once on this web page select all the radio buttons (including "Export Private Key", "Generate Self-Signed Certificate", "Export Self-Signed Certificate", "Generate Key and Certificate Objects") and set them to "off".

Next specify the "Using Existing Key Object" field with the key object name and setting the Validity Period field to the desired value. A new CSR (Certificate signing request) will be generated where it can be submitted to a CA (Certificate Authority) ex. Verisign - in establishing the new certificate.

Generating keys and certificates

You can generate a private cryptographic key and optionally a self-signed certificate from the Crypto Tools page. The Certificate Signing Request (CSR) needed by a certificate authority (CA) is created by default.

If the file is stored in the cert: directory, it cannot be edited. If a file is stored in the local: directory or in the temporary: directory, it can be edited.

To generate a key:

1. Click Administration → Miscellaneous → Crypto Tools.
2. Define the LDAP entry.
   1. Set LDAP (reverse) Order of RDNs to indicate whether to create the LDAP entry in reverse RDN order.

      on

      Creates the entry in reverse RDN order.

      off

      (Default) Creates the entry in forward RDN order.

   2. Optional: In the Country Name (C) field, enter a country name.
   3. Optional: In the State or Province (ST) field, enter a state name or a province name.
   4. Optional: In the Locality (L) field, enter a locality name.
   5. Optional: In the Organization (O) field, enter the name of an organization.
   6. Optional: In the Organizational Unit (OU) field, enter the name of an organizational unit.
   7. Optional: In the Organizational Unit 2 (OU), Organizational Unit 3 (OU), and Organizational Unit 4 (OU) fields, enter the names of additional organizational units.
   8. In the Common Name (CN) field, enter a common name.
3. From the RSA Key Length list, select the key length. This defaults to 1024.
4. In the File Name field, enter the name of the key file to generate. The value takes the directory:///name form. Leave blank to allow the action to create the name.
5. In the Validity Period field, enter the number of days that the key is valid.
6. In the Password field, enter a password to access the key file. The password must be at least six characters in length.
7. In the Password Alias field, enter a password alias to access the key file.
8. |On HSM-equipped appliances, set Private Key Exportable via hsmkwk to indicate |whether the key can be exported with the HSM key-wrapping-key. |The default value is off.|
   |

   Note:

   ||

   On Type 7199 appliances, |you must select on or the operation |will fail. The ability to do a subsequent export of the key cannot |be disabled.

   |
   |

   |

   on

   |

   Indicates that the key can be exported.|

   |

   off

   |

   (Default) Indicates that the key cannot be exported.|

   |

9. Set Export Private Key to indicate whether the action writes the key file to the temporary: directory.

   on

   Writes the key file to the temporary: directory.

   off

   (Default) Does not write the key file to the temporary: directory.

10. Set Generate Self-Signed Certificate to indicate whether the action creates a self-signed certificate that matches the key.

    on

    (Default) Creates a self-signed certificate.

    off

    Does not create a self-signed certificate.

11. Set Export Self-Signed Certificate to indicate whether the action writes the self-signed certificate to the temporary: directory.

    on

    (Default) Writes the self-signed certificate to the temporary: directory.

    off

    Does not write the self-signed certificate to the temporary: directory.

12. Set Generate Key and Certificate Objects to indicate whether the action automatically creates the objects from the generated files.

    on

    (Default) Creates the objects from the generated files.

    off

    Does not create the objects from the generated files.

13. In the Object Name field, enter the name to use for the Key object and for the Certificate object. Leave blank to allow the action to generate the names from the input information (based on the Common Name (CN) or File Name property).
14. On HSM-equipped appliances, set Generate Key on HSM to indicate whether to create the key on the HSM.

    |on

    |Creates the key on the HSM.|On Type 9235 appliances, |the file name (URL) for the key has the hsm://hsm1/name format.
    |On Type 7199 appliances, the file name (URL) for the |key has the hsm://hsm2/name format.

    off

    Creates the key on the appliance. The file name (URL) for the key has the cert:///name format.

15. In the Using Existing Key Object field, enter the name of an existing key. If supplied and valid, the action generates a new certificate and a new Certificate Signing Request (CSR) that is based on the key in the identified Key object. In this case, the appliance does not generate a new key.
16. Click Generate Key to generate a private key and, if requested, a self-signed certificate. A CSR is created automatically.
17. Follow the prompts.

The CSR can be submitted to a certificate authority (CA) to receive a certificate that is based on this private key. This action creates the following files and objects:

• Creates the private key file in the cert: directory; for example, cert:///sample-privkey.pem
• Creates the CSR in the temporary: directory; for example, temporary:///sample.csr
• If Generate Self-Signed Certificate is enabled, creates a self-signed certificate in the cert: directory; for example, cert:///sample-sscert.pem
• If Export Self-Signed Certificate is enabled, creates a copy of the self-signed certificate in the temporary: directory; for example,temporary:///sample-sscert.pem
• If Generate Key and Certificate Objects is enabled, creates a Key object and a Certificate object

If the action creates a self-signed certificate, you can use this certificate-key pair for the following purposes:

• Establish Identification Credentials
• Encrypt or decrypt XML documents

IIS Certificate CSR

https://www.alphassl.com/support/create-csr/iis6.html

To generate a Certificate Signing Request (CSR), perform the following steps:

1. Open Internet Information Services 6 (IIS)

2. Select the site where you want to enable secure communications

3. Right click the site to be secure, and select "Properties"

4. Click the "Directory Security" tab

5. Under the "Secure Communications" section, click "Server Certificate"

6. The following "Web Server Certificate Wizard" will start

7. Click Next

8. Select the "Create a new certificate" option and click Next

9. Select the "Prepare the request now, but send it later" option, and click Next

10. Type a Friendly Name for the certificate (This can be anything)

11. Select the "Bit Length" (Default 1024) and whether you want to use SGC (server gated Cryptography), then click Next

12. If SGC was selected continue to step 13, If SGC was not selected please move onto step 14.

13. Select the cryptographic provider you wish to use (Microsoft RSA SChannel Cryptographic Provider is default)

14. Input the Organization (O) and the Organizational Unit (OU) fields. Click Next

15. Input the Common Name (Fully Qualified Domain Name - www.yourdomain.com). This MUST reflect the web server DNS Name. Click Next

16. Input the Country/Region, City and State. This information must be correct - abbreviations will not be accepted by the system

17. Select where the file will be saved, and the name of the file. Typically, the root of the Hard Drive, or on Desktop is recommended, so the file can be found quickly. Once you have selected the name and location, click Next.

18. You will now be presented with a summary screen of all the information that has been inputted. Insure all information is correct, and click Next

19. You have now generated your Certificate Signing Request. Select Finish to close the wizard.

This file can now be submitted via the web site

 

Model2:

CSR Creation for IIS Web Server SSL Certificates

If you already have your SSL Certificate and just need to install it, see IIS 5 & 6 SSL Certificate Installation.

How to generate a CSR in IIS 5.x or 6.x Web Server

New: IIS 5/6 CSR video walkthrough

1. From the Administrative Tools in the Control Panel, run Internet Information Services.
   
2. Right-click on the website you are securing, and select Properties. Click on the Directory Security tab, and hit the Server Certificate button.
   
3. Click next. Choose 'Create a new certificate' and hit next.
   If you are renewing an existing certificate, you will instead see the option to Renew, Remove, or Replace your certificate. Choose the option to Renew and skip over steps 5-8.
   
4. Choose 'Prepare the request now, but send it later' and hit next.
   
5. Enter a name for the certificate that you can identify on your server. Choose a bit-length of 2048. Leave the other boxes un-checked.
   
6. Enter the full legal name of your company. Enter a department such as 'Security' or 'IT' in the organizational unit.
   
7. Enter the fully qualified domain name of your site (ex: www.yourdomain.com)
   
8. Enter the location of your organization: Country, State, and City.
   
9. Choose a file name and a location to save your SSL Certificate Signing Request (CSR). The file should be saved as a text file (.txt)
   
10. Click next to generate the file.
    
11. Now open the CSR file using a text editor such as notepad, and copy and paste the text (including the BEGIN and END tags) into the DigiCert order form.
    ** Important ** - When you have completed the steps above a "pending request" will be created on your website. This "pending request" MUST NOT BE DELETED. Later, when your certificate is issued, you must install the certificate to this exact pending request or the certificate will not be functional.
12. After you receive your SSL Certificate from DigiCert, you can install it.
    See IIS 5 & 6 SSL Certificate Installation.

Renewing an IIS 7 SSL Certificate If you are renewing your GeoTrust SSL certificate running on Microsoft Internet Information Services (IIS) 7, you will need to perform some simple tasks from your IIS 7 web server before placing an order to renew your expring SSL certificatate. Generate Renewal Certificate Request File (CSR) Open the Internet Information Services (IIS) Manager. From the Start button select Programs >Administrative Tools > Internet Information Services Manager. In the IIS Manager, select the main server node on the top left under Connections In the Features pane (the middle pane), double-click the Server Certificates option located under the IIS or Security heading (depending on your current group-by view). URGENT!! There is a known bug in IIS7 when using the "Renew" link to renew your SSL certificate. Please do not use the "Renew" link. From the Actions pane on the top right, select Create Certificate Request (DO NOT SELECT THE RENEW LINK). The Distinguished Name Properties dialog box opens. . You will be asked for several pieces of info which will be used by GeoTrust to create your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization, country, key bit length, etc. Use the CSR Legend in the right-hand column of this page to guide you when asked for this information. The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , & THIS IS THE MOST IMPORTANT STEP! Enter your site's Common Name. The Common Name is the fully-qualified-domain name for your web site or mail server. What ever your end-user will see in their browser's address bar is what you should put in here. Do not include http:// nor https://. Refer to the CSR legend in the right-hand column of this page for examples. If this is wrong, your certificate will not work properly. Enter your Organization (e.g., Gotham Books Inc) and Organizational Unit (e.g., Internet Sales). Click Next. Enter the rest of the fields using the CSR Legend on the right right-hand column of this page for guidance and examples. Click Next to continue. The next screen of the wizard asks you to choose cryptography options. The default Microsoft RSA SChannel Cryptography Provider is fine and a key bit-length of 2048. Click Next to continue. Finally, specify a file name for the certificate request. It doesn't matter what you call it or where you save it as long as you know where to find it. You'll need it in the next step. We recommend calling it certreq.txt. Click Finish to complete the certificate request (CSR) Wizard. Now, from a simple text editor such as Notepad (do not use Word), open the CSR file you just created atc:\certreq.txt (your path/filename may be different). You will need to copy-and-paste the contents of this file, including the top and bottom lines, into the relevant box during the online order process. When you get your certificate back refer to the certificate Installation instructions _____________________________ ________________ _________ IIS 7 SSL Certificate CSR Creation Easy IIS 7 SSL Certificate Renewal using DigiCert Utility For a very simple way of renewing your certificate for IIS 7 please see the SSL Cert Renew Util for IIS 7 page. This guides you through creating a new CSR, installing the certificate, and much much more. How to Generate an SSL Certificate Renewal CSR in Microsoft IIS 7 Open the IIS Manager by going to Start > Administrative Tools > Internet Information Services (IIS) Manager. Under Connections click your server's Hostname. In the center window pane, scroll down to and Double-Click the Server Certificates icon. On the right window pane under Actions click the link to Create Certificate Request.... Enter the following information in the "Distinguished Name Properties" and click Next: Common Name - Typically the domain (e.g. www.yourdomain.com) computers will connect to this server with. Organization -    Your organization's or company's legally registered name (e.g. Your Company, LLC; Your Company, Inc.) Organizational unit - Your organization's department name (If you don't know what to put just enter 'IT'). City/locality -     The city/municipality where your organization is located. State/province - The state where your organization is located. Country/region - Your country's abbreviated two letter country code. Choose Microsoft RSA SChannel and 2048 and then click Next. Save your CSR file to a location. Then open this file in in Wordpad, hit (Ctrl+A) and (Ctrl+V) to select all and copy the contents to the clipboard. Now login to your DigiCert account. Under the "My Orders" tab, click + to expand the options for order you would like to renew, then click the Renew link. Follow the instructions to place the order with DigiCert to renew your SSL Certificate. SSL Certificate Renewal Installation in Microsoft IIS 7 Installation Instructions to Renew your Windows 2008 Server SSL Certificate Save your certificate file to the IIS server that the CSR request was generated from. Open the IIS Manager and on the left side click on your server's name, and in the center window pane scroll down to Server Certificates and open it. Now under Actions pane click to Complete Certificate Request... Click ... to browse to the .CER certificate file DigiCert sent you, and give the certificate a Friendly Name to help you refer to this certificate by in the future and click Ok. Note: You may receive the following error messages when installing the certificates: "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created." "ASN1 bad tag value met". If you created the CSR (AKA pending request) for the certificate you are installing you can ignore this error, close the dialog box and hit the "F5" key to update the list of available installed certificates. If you can see your certificte with the friendly name you just assigned, click to go to the next step. If your certificate isn't listed please contact DigiCert support for assistance. Under the Connections window pane, expand your server's computer name, then click the Site that you want to enable SSL on. In the Actions menu click Bindings... then select the binding for https and click 'Edit'. In the 'SSL certificate:' drop-down menu select your newly-installed SSL Certificate by it's friendly name, and click Ok. Your new SSL Certificate should now be installed to your server. IIS 7 Host Headers. For help with your cert installation or troubleshooting, try our new Windows SSL management tool. Test Your Installation If your web site is publicly accessible, our SSL Cert Tester tool can help you diagnose common problems. SSL Certificates :: Microsoft Internet Information Server 7

Configure Java VisualVM with Websphere Application Server

Configure Java VisualVM with Websphere Application Server

Hi everyone,

Since Version 1.5, Sun’s JDK includes a nice profiling tool called VisualVM, intended to be used by developers, sysadmins and any person that needs to troubleshoot and profile memory consumption in Java applications and servers.  To run it, just execute the file jvisualvm located in $JAVA_HOME/bin. With VisualVM you can:

1.Monitor heap usage

2.Monitor CPU usage

3.Monitor Threads

4.Initiate garbage collections

5.Profile CPU and memory

6.And more…

To profile local applications is pretty easy, since you only need to start it and it’ll detect all Java-based applications and you’ll be able to see the Heap/PermGen usage, the number of threads used, the classes loaded by the class loader and other stuff.It can also be used to monitor IBM JVM’s. VisualVM is not able to connect to the IBM JVM locally. JMX must be used instead. To enable JMX monitoring on the IBM JVM follow the bellow procedure

Procedure:

From Websphere Application Server Side:

On the admin console Click on Servers->Server types->WebSphere application servers->server1->Process definition->Java Virtual Machine, add the following line into the field of Generic JVM Argument (note that the first system property is equal to nothing and no equal sign for the second system property):

-Djavax.management.builder.initial= -Dcom.sun.management.jmxremote

Add or uncomment the following three lines in fileWAS_HOME/java/jre/lib/management/management.properties

com.sun.management.jmxremote.port=1099

com.sun.management.jmxremote.authenticate=false

com.sun.management.jmxremote.ssl=false

com.sun.management.jmxremote.local.only=false

From Java  VisualVM Side:

Go to the JAVA_HOME/bin and execute following command

jvisualvm.exe

Right click on the Local and clock on Add JMX connection

 Insert the jmx port wich we have mentioned earlier in management.properties file i.e 1099

Double click on newly added jmx connection i.e localhost:1099 and we will get the monitoring console available for check

We can use the different tabs for monitoring different areas.

Change Host, Cell and Node names.

 Seeing as the wsadmin command to rename a cell is not officially documented or supported, I have removed it from this post. I’m sorry, but it is for your own good!!

It seems like I get asked quite a bit about how to change node names and host names for a given WebSphere Application Server environment. It usually starts by someone asking me what configuration files they need to change when they want to update this information, and is followed by their surprise when I tell them none. The reason I say that is because it’s time consuming, hard, and unnecessary for you to figure this out. Instead, you can use two simple wsadmin commands. I’ll give you an example of those here (all written in Jython).

To change the name of a given node, use the following wsadmin command:

AdminTask.renameNode(‘[-nodeName <existing_node_name> -newNodeName <new_node_name>]’)

This updates the name of the node specified by the nodeNameparameter to the name specified by the newNodeName parameter.

To change the host name for a given node, use the following wsadmin command:

AdminTask.changeHostName(‘[-nodeName <node_name> -hostName <new_host_name>]’)

This updates the host name for the node specified in the nodeNameparameter to the value specified in the hostName parameter.

These commands update all of the necessary WAS configuration, but do keep in mind they do not update any shell or batch files in the environment. This means you need to update the setupCmdLine script included in your WAS installation, and you obviously need to update any of your custom scripts that have hard coded values for node and host names.

O/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin # ./wsadmin.sh -conntype NONE 
 -lang jython
WASX7357I: By request, this scripting client is not connected to any server process. 
 Certain configuration and application operations will be available in local mode.
WASX7031I: For help, enter: "print Help.help()"
wsadmin>

wsadmin>AdminTask.changeHostName ('[-interactive]')
Change Host Name

Change the host name of a node

*Node Name (nodeName): BhikshuCellManager01
*Host Name (hostName): new Host name
System Name (systemName): Bhikshu
Regenerate Certificates (regenDefaultCert): y

Change Host Name

F (Finish)
C (Cancel)

Select [F, C]: [F] F
WASX7278I: Generated command line: AdminTask.changeHostName
 ('[-nodeName BhikshuCellManager01 
 -hostName newhostname -systemName Bhikshu ]')
''
wsadmin>AdminConfig.save()
''
wsadmin>exit

Delete files that are x days old

Sometimes in Linux, you want to clear out older files in a directory. One instance would be if you have a security system and it continuously writes video files to a directory on your NAS (Network Attached Storage) until it fills it up. You’ve figured out that if you keep a week’s worth of video, it will usually leave plenty of space for other users.

What I would suggest here is creating a cron job that runs every night and runs something like the following command:

1	find /path/to/files/ -type f -mtime +7 -exec rm -rf {} \;

2) find /path/to/files* -mtime +5 -exec rm {} \;

What it all means:
find: the command that will search for the files
/path/to/files/: the top level directory to start searching
-type f: so we don’t remove directories, only files
-mtime +7: files older than ‘7’ days. Change to ‘+14′ to delete files older than 2 weeks.
-exec: what to do with the files we find
rm -rf: remove them recursively, force
{}: this represents each file we find
\;: the end of the exec

SO – the crontab entry would be this:

1	0 2 * * * /bin/find /path/to/files/ -type f -mtime +7 -exec rm -rf {} \;

This will run every night at 2am.