This document describes the steps necessary to replace the certificates in IBM WebSphere Application Server V6.1 when the certificates have expired or if the nodes are out of sync.
NOTE: This document assumes that you are using a default configuration. If you have made modifications to your SSL configurations you will need to take these changes into account. For example, additional steps will be required if you have enabled client authentication on the application servers.
1. Run backupConfig on the Deployment Manager.
2. Stop all of the nodeagents and application servers in the cell. Stop the Web server(s). Start the Deployment Manager.
3. Replace the Deployment Manager certificate.
i. In the Administrative Console, go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate
ii. Enter the required attributes.
Alias : cell_default Common name : <hostname> Validity period : <number of days> <-- this can be set greater than 365 Organization : <company> Click OK and Save the changes. iii. Return to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates iv. Select the old certificate and click Replace. v. On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts. vi. On the next screen, select the old certificate and click Delete. Click OK and Save the changes. At this point the Deployment Manager has its certificate replaced.
4. Add the Deployment Manager signer certificate to the CellDefaultTruststore.
i. Go to SSL certificate and key management > Key stores and certificates. ii. Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
iii. Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add. Click OK and Save the changes.
5. Replace the certificate on the node(s). This step will need to be done for each node in the cell.
i. Go to Security > SSL certificate and key management > Manage endpoint security configurations. ii. Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null). iii. Click the Manage certificates button.
iv. Click Create a self-signed certificate. v. Enter the required attributes. Alias : nodeX_default <-- where X is the node number Common name : <hostname> Validity period : <number of days> <-- this can be set greater than 365 Organization : <company> Click OK and Save the changes. vi. Return to Security > SSL certificate and key management > Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null), click Manage certificates. vii. Select the old certificate and click Replace. viii. On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. ix. On the next screen, select the old certificate and click Delete. Click OK and save the changes.
6. Add the Node signer certificate to the CellDefaultTruststore. This step will need to be done for each node in the cell.
i. Go to Security > SSL certificate and key management > Manage endpoint security configurations. ii. Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates. iii. Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers. iv. Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
Click OK and Save the changes.
7. Repeat steps 5 and 6 for each node in the cell. 8. Delete the old signer certificates and extract the new ones.
i. Go to SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates ii. Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores. iii. Select one of the new certificates. Click Extract. iv. Enter a File Name that corresponds to the certificate. For example, node1.arm. Click Ok. v. Repeat iii. and iv. for each of the new certificates making sure you have done this for the cell signer and all of the node signers. These files are saved to the profile_root/Dmgr/etc directory.
9. Manually copy the trust store to each of the /etc directories.
i. Backup the trust.p12 in profile_root\Dmgr\etc ii. Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Dmgr\etc iii. Backup the trust.p12 on each of the nodes profile_root\Appsrv\etc directories. iv. Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Appsrv\etc v. Repeat the previous step for each node in the cell.
10. Sync and Start the node(s).
i. Restart the Deployment Manager. ii. Run a command line syncNode from each of the nodes. iii. Start the nodeagents and application servers. They should now be fully synchronized with the new certificates in place.
11. Propagate the signer certificate(s) to plug-in(s).
i. Go to Servers > Web servers. Click webserver_name, then under Additional Properties click Plug-in properties.
IMPORTANT NOTE: Depending on your configuration you may or may not be able to perform the next 3 steps with the console. If the fields are greyed out and you are unable to manage your plugin-key.kdb from the console you will need to use IKEYMAN to manually add the certificates from step 8. iv. to the Web server plugin-key.kdb file and then continue at step 11 v. ii. Click Manage keys and certificates under Additional Properties, click Signer certificates and then click Add. iii. Enter a unique Alias Name and then specify the File Name that you created in step 8. iv. iv. Repeat this for each of the new certificates making sure you have done this for the cell signer and all of the node signers. v. Manually copy the plugin-key.kdb from the local configuration to the Web server. Default local configuration location: profile_root\Dmgr\config\cells\cell-name\nodes\node-name\servers\web-server-name\plugin-key.kdb Default Web server location: Web-server-root\Plugins\config\web-server-name\plugin-key.kdb Note: You can also determine the location from the Plug-in properties page in step i. vi. Repeat steps i. to v. for each Web server if you have more than one. vii. Start the Web server(s).
No comments:
Post a Comment