Typically, you can use the administrative console to replace
your SSL certificates. However, under some circumstances, you may
need to do a manual replacement of one or more of these certificates.
This procedure describes how to manually replace an SSL certificate.
About this task
This procedure assumes that you are using a default configuration.
If you have made modifications to your SSL configurations you must
take these changes into account when completing the steps in this
procedure. For example, additional steps are required if you have
enabled client authentication on the application servers.
Procedure
- Run backupConfig on the deployment manager.
- (optional). Only complete this step if you are running
on Version 6.1.0.21 of lower and the nodes are still in sync. You
do not need to stop the node agents and application servers if you
are running at Version 6.1.0.23 or higher, and the nodes are in sync.
- Stop all of the node agents and application servers
in the cell.
- Stop any Web servers that are running.
- Start the deployment manager.
- Replace the deployment manager certificate.
- In the administrative condole, click Security > SSL
certificate and key management > Key stores and certificates > CellDefaultKeyStore
> Personal certificates > Create a self-signed certificate.
- Enter the required attributes.
Alias: cell_default
Common
name : host_name
Validity period : number_of_days (number_of_days can
be greater than 365).
Organization : name
- Click OK and Save to save your changes.
- Click Security > SSL certificate and key management
> Key stores and certificates > CellDefaultKeyStore > Personal certificates.
- Select the old certificate and click Replace.
- Choose which certificate will replace the old certificate.
- Accept your new certificate and any browser prompts.
Do not select either Delete old certificate after
replacement or Delete old signers.
- Select the old certificate, and then click Delete.
- Click OK and Save to save your changes.
At this point the Deployment Manager has its certificate replaced.
- Add the deployment manager signer certificate to the CellDefaultTruststore
- Click SSL certificate and key management > Key stores
and certificates.
- Select CellDefaultKeyStore and CellDefaultKeyStore
personal certificates created in the previous step and click Add.
- Click OK and Save to save your changes.
- Replace the certificate on each node. This step
must be completed for each node in the cell.
- Go to Security > SSL certificate and key management
> Manage endpoint security configurations.
- Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
- Click the Manage certificates button.
- Click Create a self-signed certificate.
- Enter the required attributes.
Alias: nodeX_default,
where X is the node number.
Common name : host_name
Validity
period : number_of_days (number_of_days can
be greater than 365).
Organization : name
- Click OK and Save the changes.
- Click Security > SSL certificate and key management
> Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null),
and then click Manage certificates.
- Select the old certificate and click Replace.
- Choose which certificate will replace the old certificate.
- Accept your new certificate. Do not select
either Delete old certificate after replacement or Delete
old signers.
- Select the old certificate and then click Delete.
- Click OK and Save the changes.
- Add the node signer certificates to the CellDefaultTruststore.
This step must be completed for each node in the cell.
- Click Security > SSL certificate and key management
> Manage endpoint security configurations.
- Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and
select Key stores and certificates.
- Select NodeDefaultKeyStore and CellDefaultTrustStore and
then click Exchange signers.
- Select the certificate in NodeDefaultKeyStore personal
certificates that you created in a previous step and then click Add.
- Click OK and Save to save your changes.
- Repeat steps 5 and 6 for each node in the cell.
- Delete the old signer certificates and extract the new
ones.
- Click SSL certificate and key management > Key stores
and certificates > CellDefaultTrustStore > Signer certificates.
- Select all of the old signer certificates and
click Delete. If you are not sure, you can compare the Fingerprint
and/or the Expiration dates with the personal certificate in the keystores.
- Select on the new certificates. Click Extract.
- Enter a File Name that corresponds to the certificate.
For example, node1.arm. Click OK.
- Repeat substeps c and d for each of the new certificates.
At a minimum, these substeps must be completed for the cell
signer and all of the node signer certificates.
These
files are saved to the profile_root/Dmgr/ directory.
- Manually copy the trust store to each of the /etc directories.
- Backup the trust.p12 file in the profile_root/Dmgr/
directory.
- Copy the profile_root/Dmgr/config/cells/cell-name/trust.p12 to
the profile_root/Dmgr/etc directory.
- Backup the profile_root/Appsrv/etc/trust.p12
file for each of the nodes.
- Copy the profile_root/Dmgr/config/cells/cell-name/trust.p12 file
to the profile_root/Appsrv/etc directory for each
node in the cell.
- (Optional) This step only needs to be completed
if you previously stopped the node agent and application servers in
the cell.
- Restart the Deployment Manager.
- Run the syncNode command from a command line for each
of the nodes.
- Start the node agents and application servers. Your
node agents and application servers should now be fully synchronized
with the new certificates in place.
- Propagate the signer certificates to your Web server plug-ins.
- Click Servers > Web Servers > webserver_name,
and then under Additional Properties, click Plug-in properties.
Note: Depending on your configuration, you might not be able
to use the administrative console to perform the next 3 substeps.
If the fields are greyed out, you are not permitted to manage your plugin-key.kdb from
the console. In this situation, you must use IKEYMAN to manually add
the certificates you created in step 8d to the Web server plugin-key.kdb file,
and then go to substep 11e.
- Click Manage keys and certificates under Additional
properties. Click Signer certificates, and then click Add.
- Enter a unique name in the Alias Name field,
and then specify the File Name that you created in substep
8d.
Repeat this substep for each of the new certificates,
making sure you have done this for the cell signer and all
of the node signers.
- Manually copy the plugin-key.kdb file
from the local configuration to the Web server.
Default
local configuration location:
profile_root/Dmgr/config/cells/cell-name/nodes/node-name/servers/web-server-name/plugin-key.kdbDefault
Web server location
Web-server-root/Plugins/config/web-server-name/plugin-key.kdb
- Repeat substeps a through d for each Web server that
is running on your system.
- Start the Web servers.