Managing and Replacing WebSphere 6.1 SSL Certificates

IBM Software Group Managing and Replacing WebSphere 6.1 SSL Certificates Brett Ostrander WebSphere Support Technical Exchange

Agenda Basic Design / Overview Default 6.1 Configuration Scope Settings Certificate Expiration Management Manually Replacing Certificates

Basic Design / Overview No longer use the Dummy keys Key Stores (key.p12) and Trust Stores (trust.p12) contain Signer Certificates Personal Certificates Personal Certificate Requests WebSphere provides all of the needed key/trust stores needed by default Self signed certificates are created per profile by default

Basic Design / Overview Certificate and key management is built into the Admin Console Configurations are scoped at the level of cell, node, cluster, node group, server...

Default Configuration Key Stores and Trust Stores are managed via the Admin Console and stored in the configuration repository CellDefaultKeyStore is located in ${CONFIG_ROOT}/cells/cell_name/key.p12 CellDefaultTrustStore is located in ${CONFIG_ROOT}/cells/cell_name/trust.p12 Important: This is the Trust Store used by default in the Entire Cell

Default Configuration NodeDefaultKeyStore is in ${CONFIG_ROOT}/cells/cell_name/nodes/node_name/key.p12 NodeDefaultTrustStore is in ${CONFIG_ROOT}/cells/cell_name/nodes/node_name/trust.p1 2 NodeDefaultTrustStore is not used by default

Default Configuration Web Server s KDB file is in ${CONFIG_ROOT}/config/cells/cell_name/nodes/node_name/ servers/webserver/plugin-key.kdb

Scope Settings

SSL configurations > NodeDefaultSSLSettings

Certificate Expiration Management WebSphere automatically (be default) scans all key stores looking for certificates that will expire Any self-signed certificates that will expire in the next expiration notification days will be replaced if automatic synchronization is disabled and outage will occur unmanaged webservers stop working communication may be broken with other servers in other cells, MQ, etc. various other problems can also occur Consider disabling automatic certificate replacement and generating your own certificates...

Manually Replacing Certificates Run backupconfig on the Deployment Manager Replace the Deployment Manager certificate In the Admin Console, go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate

Enter the required attributes and Save the changes.

Return to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates Select the old certificate and Replace

Accept your new certificate and Save

On the next screen, select the old certificate and Delete

Verify that a Signer Certificate was added to your CellDefaultTrustStore for your new personal certificate

If for any reason the Signer Certificate was not added then you can do this manually

Select the CellDefaultKeyStore and the CellDefaultTrustStore and click Exchange signers...

Select and Add the new Signer Certificate

Manually Replacing Certificates Replace the Node certificate Go to Security > SSL certificate and key management > Manage endpoint security configurations and Select the node

Select Manage certificates

Create a new self-signed certificate

Enter the required attributes and Save the changes

Return to Security > SSL certificate and key management > Manage endpoint security configurations and Select the node Select Manage Certificates Select the old certificate and click Replace

Accept your new certificate and Save

Return to the node Manage certificates page, select the old certificate and Delete

Verify that a Signer Certificate was added to your CellDefaultTrustStore for your new Personal Certificate

If for any reason the Signer Certificate was not added then you can do this manually Select the NodeDefaultKeyStore and the CellDefaultTrustStore and click Exchange signers...

Select and Add the new Signer Certificate

Manually Replacing Certificates Delete the old Signer Certificates and Extract the new ones

Extract each certificate

Enter a File Name that corresponds to the certificate. For example, node1.arm These files are saved to the profile_root/dmgr/etc directory

Manually Replacing Certificates Add the Signer Certificates for each node to the plugin-key.kdb Go to Servers > Web servers> webserver_name > Plug-in properties > Manage keys and certificates > Signer certificates > Add

Enter a unique Alias Name and then specify the File Name that you created previously

Repeat this for each of the new certificates (the cell signer and all of the node signers) Manually copy the plugin-key.kdb from the local configuration to the webserver Important Note: Depending on your configuration you may not be able to perform the previous steps with the console. If the fields are greyed out and/or you are unable to manage your plugin-key.kdb from the console you will need to use IKEYMAN to manually add the certificates

Manually Replacing Certificates For all profiles, when these self-signed certificates are initially created they are also added into the key.p12 and trust.p12 in the ${PROFILE_ROOT}/etc directory. These key stores are used by clients (for example, wsadmin) started from this profile These certificates provide them with the trust needed to communicate with servers in the same profile without requiring any signer exchanges to occur

Manually Replacing Certificates Whenever changes are made to the server certificates after the initial profile creation the /etc trust.p12 will need to be updated If client authentication is enabled on the server the /etc/key.p12 will need be updated also

Manually Replacing Certificates Manually replace the trust.p12 in each of the /etc directories Copy the ${CONFIG_ROOT}/cells/cell_name/trust.p12 to the profile_root/dmgr/etc directory Copy the ${CONFIG_ROOT}/cells/cell-name/trust.p12 to the profile_root/appsrv/etc directory and repeat for each node in the cell If needed, replace the key.p12 files also Copy the ${CONFIG_ROOT}/cells/cell_name/key.p12 to the profile_root/dmgr/etc directory Copy the ${CONFIG_ROOT}/cells/cellname/node/node_name/key.p12 to corresponding profile_root/appsrv/etc directory and repeat for each node in the cell

Reference Articles IBM WebSphere Developer Technical Journal: SSL, certificate, and key management enhancements for even stronger security in WebSphere Application Server V6.1 Manually Replacing SSL Certificates in V6.1

IBM Software Group Additional WebSphere Product Resources Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/ Learn about other upcoming webcasts, conferences and events: http://www.ibm.com/software/websphere/events_1.html Join the Global WebSphere User Group Community: http://www.websphere.org Access key product show-me demos and tutorials by visiting IBM Education Assistant: http://www.ibm.com/software/info/education/assistant View a Flash replay with step-by-step instructions for using the Electronic Service Request (ESR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html Sign up to receive weekly technical My support emails: http://www.ibm.com/software/support/einfo.html WebSphere Support Technical Exchange 45

IBM Software Group Questions and Answers WebSphere Support Technical Exchange 46