When a WebSphere Application Server process starts for the first time, the Secure Sockets Layer (SSL) runtime initializes the default keystores and truststores that are specified in the SSL configuration.
WebSphere Application Server creates the key.p12 default keystore file and the trust.p12 default truststore file during profile creation. A default, self-signed certificate is also created in the key.p12 file at this time. The signer or public key is extracted from the key.p12 file and added to the trust.p12 file. If the files do not exist during process startup, they are recreated during startup.
You can easily identify keystore and truststore defaults because of their suffixes: DefaultKeyStore and DefaultTrustStore. Also, in the SSL configuration, you must set the fileBased attribute to true so that the runtime uses the default keystores and truststores only.
On a base application server, default key and truststores are stored in the node directory of the configuration repository. For example, the default key.p12 and trust.p12 stores are created with the AppSrv01 profile name, the myhostNode01Cell name, and the myhostNode01 node name. The key and truststores are located in the following directories:
/QIBM/UserData/WebSphere/AppServer/V61/Express/profiles/default/config /cells/myhostNode01Cell/nodes/myhostNode01/key.p12 /QIBM/UserData/WebSphere/AppServer/V61/Express/profiles/default/config /cells/myhostNode01Cell/nodes/myhostNode01/trust.p12
The default password is WebAS for all default keystores generated by WebSphere Application Server. Change the default password after the initial configuration for a more secure environment.
The default self-signed certificate is created during profile creation for both the server and client for that profile.
You can recreate the certificates with different information simply by deleting the *.p12 files in /config and /etc. Change the four properties below to the values you want the certificates to contain, then restart the processes. This causes the server certificate in /config and the client certificate in /etc to differ.
If you want to set up SSL client authentication between the client and the server, signer certificates must be exchanged. The certificate properties in the following paragraph exist in the ssl.client.props file, but do not exist in the server configuration. You can use these certificate properties in the server configuration if you add them as custom security properties using the administrative console.
com.ibm.ssl.defaultCertReqAlias=default_alias com.ibm.ssl.defaultCertReqSubjectDN=cn=${hostname},o=IBM,c=US com.ibm.ssl.defaultCertReqDays=365 com.ibm.ssl.defaultCertReqKeySize=1024
You must then delete the default self-signed certificate and restart the deployment manager (DMGR), node and all of the servers. If the default certificate does not exist, WebSphere Application Server automatically generates a new default certificate using the properties listed above.
If a default_alias value already exists, the runtime appends _#, where the number sign (#) is a number that increments until it is unique in the keystore. ${hostname} is a variable that is resolved to the host name where it was originally created. The default expiration date of self-signed certificates is one year from their creation date.
The runtime monitors the expiration dates of self-signed certificates using the Certificate Expiration Monitor. These self-signed certificates are automatically replaced along with the signer certificates when they are within the expiration threshold, which is typically 30 days before expiration. You can increase the default key size beyond 1024 bits only when the Java Runtime Environment policy files are unrestricted, that is, not exported. For more information, see Certificate expiration monitoring.
<repertoire xmi:id="SSLConfig_1" alias="NodeDefaultSSLSettings" managementScope="ManagementScope_1"> <setting xmi:id="SecureSocketLayer_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_1" keyManager="KeyManager_1"/> </repertoire>
Default keystore
<keyStores xmi:id="KeyStore_1" name="NodeDefaultKeyStore" password="{xor}349dkckdd=" provider="IBMJCE" location="${USER_INSTALL_ROOT}/config /cells/myhostNode01Cell/nodes/myhostNode01/key.p12" type="PKCS12" fileBased="true" hostList="" initializeAtStartup="true" managementScope="ManagementScope_1"/>The NodeDefaultKeyStore keystore contains the personal certificate that represents the identity of the secure endpoint. Any keystore reference can use the ${USER_INSTALL_ROOT} variable, which is expanded by the runtime. The PKCS12 default keystore type is in the most interoperable format, which means that it can be imported into most browsers. The myhostNode01Cell password is encoded.
<managementScopes xmi:id="ManagementScope_1" scopeName=" (cell):myhostNode01Cell:(node):myhostNode01" scopeType="node"/>Any configuration objects that are stored in the security.xml file whose management scopes are outside the current process scope are not loaded in the current process. Instead, the management scope is loaded by servers that are contained within the myhostNode01 node. Any application server that is on the specific node can view the keystore configuration.
When you list the contents of the key.p12 file to show the self-signed certificate, note that the common name (CN) of the distinguished name (DN) is the host name of the resident machine. This listing enables you to verify the host name by its URL connections. Additionally, you can verify the host name from a custom trust manager. For more information, see Trust manager control of X.509 certificate trust decisions.
Contents of default keystore
keytool -list -keystore /QIBM/UserData/WebSphere/AppServer/V61/Express/profiles/default/config /cells/myhostNode01Cell/nodes/myhostNode01/key.p12 -storepass myhostNode01Cell -storetype PKCS12 -v
Alias name: default Entry type: keyEntry Owner: CN=myhost.austin.ibm.com, O=IBM, C=US Issuer: CN=myhost.austin.ibm.com, O=IBM, C=US Valid from: 10/18/05 4:06 PM until: 10/18/06 4:06 PM Certificate fingerprint: SHA1: 33:6E:9E:10:65:04:CE:7A:6C:C3:B1:79:8B:9A:05:49:AC:E5:67:F3
The default alias name and the keyEntry entry type indicate that the private key is stored with the public key, which represents a complete personal certificate. The certificate is owned by CN=myhost.austin.ibm.com, O=IBM, C=US and it is issued by the same entity, which is self-signed. By default, the certificate is valid for one year from the date of creation.
Additionally, in some signer-exchange situations, the certificate fingerprint ensures that the sent certificate has not been modified. The fingerprint, which is a hash algorithm output for the certificate, is displayed by the WebSphere Application Server runtime during an automated signer exchange on the client side. The client fingerprint must match the fingerprint that is displayed on the server. The runtime typically uses the SHA1 hash algorithm to generate certificate fingerprints.
Default truststore
<keyStores xmi:id="KeyStore_2" name="NodeDefaultTrustStore" password="{xor}349dkckdd=" provider="IBMJCE" location="${USER_INSTALL_ROOT} /config/cells/myhostNode01Cell/nodes/myhostNode01/trust.p12" type="PKCS12" fileBased="true" hostList="" initializeAtStartup="true" managementScope="ManagementScope_1"/>
Contents of default truststore
keytool -list -keystore /QIBM/UserData/WebSphere/AppServer/V61/Express/profiles/default/config /cells/myhostNode01Cell/nodes/myhostNode01/trust.p12 -storepass myhostNode01Cell -storetype PKCS12 -v
Alias name: default_signer Entry type: trustedCertEntry Owner: CN=myhost.austin.ibm.com, O=IBM, C=US Issuer: CN=myhost.austin.ibm.com, O=IBM, C=US Valid from: 10/18/05 4:06 PM until: 10/18/06 4:06 PM Certificate fingerprint: SHA1: 33:6E:9E:10:65:04:CE:7A:6C:C3:B1:79:8B:9A:05:49:AC:E5:67:F3