Manually Replacing SSL Certificates

Typically, you can use the administrative console to replace your SSL certificates. However, under some circumstances, you may need to do a manual replacement of one or more of these certificates. This procedure describes how to manually replace an SSL certificate.

About this task

This procedure assumes that you are using a default configuration. If you have made modifications to your SSL configurations you must take these changes into account when completing the steps in this procedure. For example, additional steps are required if you have enabled client authentication on the application servers.

Procedure

  1. Run backupConfig on the deployment manager.
  2. (optional). Only complete this step if you are running on Version 6.1.0.21 of lower and the nodes are still in sync. You do not need to stop the node agents and application servers if you are running at Version 6.1.0.23 or higher, and the nodes are in sync.
    1. Stop all of the node agents and application servers in the cell.
    2. Stop any Web servers that are running.
    3. Start the deployment manager.
  3. Replace the deployment manager certificate.
    1. In the administrative condole, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate.
    2. Enter the required attributes.

      Alias: cell_default

      Common name : host_name

      Validity period : number_of_days (number_of_days can be greater than 365).

      Organization : name

    3. Click OK and Save to save your changes.
    4. Click Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates.
    5. Select the old certificate and click Replace.
    6. Choose which certificate will replace the old certificate.
    7. Accept your new certificate and any browser prompts. Do not select either Delete old certificate after replacement or Delete old signers.
    8. Select the old certificate, and then click Delete.
    9. Click OK and Save to save your changes.
    At this point the Deployment Manager has its certificate replaced.
  4. Add the deployment manager signer certificate to the CellDefaultTruststore
    1. Click SSL certificate and key management > Key stores and certificates.
    2. Select CellDefaultKeyStore and CellDefaultKeyStore personal certificates created in the previous step and click Add.
    3. Click OK and Save to save your changes.
  5. Replace the certificate on each node. This step must be completed for each node in the cell.
    1. Go to Security > SSL certificate and key management > Manage endpoint security configurations.
    2. Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
    3. Click the Manage certificates button.
    4. Click Create a self-signed certificate.
    5. Enter the required attributes.

      Alias: nodeX_default, where X is the node number.

      Common name : host_name

      Validity period : number_of_days (number_of_days can be greater than 365).

      Organization : name

    6. Click OK and Save the changes.
    7. Click Security > SSL certificate and key management > Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null), and then click Manage certificates.
    8. Select the old certificate and click Replace.
    9. Choose which certificate will replace the old certificate.
    10. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers.
    11. Select the old certificate and then click Delete.
    12. Click OK and Save the changes.
  6. Add the node signer certificates to the CellDefaultTruststore. This step must be completed for each node in the cell.
    1. Click Security > SSL certificate and key management > Manage endpoint security configurations.
    2. Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates.
    3. Select NodeDefaultKeyStore and CellDefaultTrustStore and then click Exchange signers.
    4. Select the certificate in NodeDefaultKeyStore personal certificates that you created in a previous step and then click Add.
    5. Click OK and Save to save your changes.
  7. Repeat steps 5 and 6 for each node in the cell.
  8. Delete the old signer certificates and extract the new ones.
    1. Click SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
    2. Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
    3. Select on the new certificates. Click Extract.
    4. Enter a File Name that corresponds to the certificate. For example, node1.arm. Click OK.
    5. Repeat substeps c and d for each of the new certificates.

      At a minimum, these substeps must be completed for the cell signer and all of the node signer certificates.

      These files are saved to the profile_root/Dmgr/ directory.

  9. Manually copy the trust store to each of the /etc directories.
    1. Backup the trust.p12 file in the profile_root/Dmgr/ directory.
    2. Copy the profile_root/Dmgr/config/cells/cell-name/trust.p12 to the profile_root/Dmgr/etc directory.
    3. Backup the profile_root/Appsrv/etc/trust.p12 file for each of the nodes.
    4. Copy the profile_root/Dmgr/config/cells/cell-name/trust.p12 file to the profile_root/Appsrv/etc directory for each node in the cell.
  10. (Optional) This step only needs to be completed if you previously stopped the node agent and application servers in the cell.
    1. Restart the Deployment Manager.
    2. Run the syncNode command from a command line for each of the nodes.
    3. Start the node agents and application servers. Your node agents and application servers should now be fully synchronized with the new certificates in place.
  11. Propagate the signer certificates to your Web server plug-ins.
    1. Click Servers > Web Servers > webserver_name, and then under Additional Properties, click Plug-in properties.
      Note: Depending on your configuration, you might not be able to use the administrative console to perform the next 3 substeps. If the fields are greyed out, you are not permitted to manage your plugin-key.kdb from the console. In this situation, you must use IKEYMAN to manually add the certificates you created in step 8d to the Web server plugin-key.kdb file, and then go to substep 11e.
    2. Click Manage keys and certificates under Additional properties. Click Signer certificates, and then click Add.
    3. Enter a unique name in the Alias Name field, and then specify the File Name that you created in substep 8d.

      Repeat this substep for each of the new certificates, making sure you have done this for the cell signer and all of the node signers.

    4. Manually copy the plugin-key.kdb file from the local configuration to the Web server.

      Default local configuration location:

      profile_root/Dmgr/config/cells/cell-name/nodes/node-name/servers/web-server-name/plugin-key.kdb

      Default Web server location

      Web-server-root/Plugins/config/web-server-name/plugin-key.kdb
    5. Repeat substeps a through d for each Web server that is running on your system.
    6. Start the Web servers.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 10:47:11 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-iseries&topic=tsec_sslmanuallyreplace
File name: tsec_sslmanuallyreplace.html