[AIX HP-UX Linux Solaris Windows][z/OS]

Implementing a non-default keyfile for the Web server

By default, the plugin-key.kdb keystore file is used by a Web server. However, you can configure your Web server to use another keystore file.

About this task

Complete the following steps in the administrative console to change your configuration so that it does not use the default keystore file:

Procedure

  1. Set up a new keystore. Complete the following steps:
    1. Expand Security and click SSL certificate and key management.
    2. Under Related Items, click Key stores and certificates > New .
    3. Specify a name for the new keystore configuration in the Name field.
    4. Specify the path to the keyfile in the Path field. You can specify one of the following paths:
      • The fully qualified path from the root to the repository for the Web server within the product tree
      • A path that uses the ${CONFIG_ROOT} variable and the path starting from /cells.
      For example:
      • C:\Program Files\IBM\WebSphere\AppServer\profiles\profile_name\config\cells/cell_name/nodes/node_name/servers/server_name/NewKey3.kdb
      • ${CONFIG_ROOT}/cells/cell_name/nodes/node_name/servers/server_name/NewKey3.kdb
      Avoid trouble [Windows] Avoid trouble: Verify that the pattern of forward slashes and back slashes matches other keystore file paths in the administrative console.gotcha
    5. Specify the password for the keyfile in the Password and Confirm password fields.
    6. Select CMSKS from the Type menu.
    7. Click OK.
    8. Click Save to save the changes to the master configuration.
    When you complete these steps, a new keystore file exists within the specified profile repository.
  2. Add the signer certificate to the new keystore for authentication. Complete the following steps:
    1. Expand Security and click SSL certificate and key management.
    2. Ensure that the Dynamically update the run time when SSL configuration changes occur checkbox is selected. This checkbox ensures that the changes to the configuration are propagated to the runtime immediately after you save the configuration. This function requires that you restart your application server to become active. If you enable this function, ensure that you make Secure Socket Layer (SSL) configuration changes when the system traffic volume is low to prevent an impact on performance.
    3. Under Configuration settings, click Manage endpoint security configurations.
    4. Expand the Inbound or outbound topology listings and the cell name to see a list of the nodes.
    5. Copy the list of nodes into a text file.
    6. Extract the personal certificates and record their related information for each of the nodes. Complete the following steps:
      1. Click SSL certificate and key management in the path above the panel description.
      2. Under Related Items, click Key stores and certificates.
      3. Click the name of the keystore.
      4. Under Additional properties, click Personal certificates.
      5. Record the serial number of the default certificate.
      6. Select the check box in the default certificate row and click Extract.
      7. Enter both the path and file name for the certificate in the Certificate file name field.
      8. Record the path and file name with the serial number of the certificate that you previously recorded.
      9. Click OK.
      10. Click Save to save the changes to the master configuration.

      You must complete this step for each node in your configuration.

      Avoid trouble Avoid trouble: If you create a cell profile after your initial installation of the application server, both the cell manager node and the stand-alone node might have the same certificate and same serial number. Record the identical information.gotcha
    7. Return to the Manage endpoint security configurations panel. To return to this panel, complete the following steps:
      1. Click SSL certificate and key management in the path above the panel description.
      2. Under Configuration settings, click Manage endpoint security configurations.
    8. Locate and click the name of the Web server configuration.
    9. Under Related Items, click Key stores and certificates.
    10. Click the name of the keystore that is associated with the Web server.
    11. Under Additional Properties, click Signer certificates.
    12. Compare the signer certificates in this list to the certificates that you previously extracted.
    13. Click Add and add the missing certificates to the list.
    14. Enter the alias for the certificate and its file path to the Alias and File name fields. You do not need to change the value for the Data type field.
    15. Click OK.
    16. Click Save to save the changes to the master configuration.
  3. Adjust the plug-in settings to use the new keystore file.
    1. Expand Servers > Web servers > server_name .
    2. Under Additional Properties, click Plug-in properties.
    3. Change the file name in the Plug-in key store file name field to the name of the keystore file that you created in step 1.
      Avoid trouble Avoid trouble: The file name must match.gotcha
    4. Change the path to the keystore file in the Plug-in key store directory and file name field.
    5. Click Copy to Web server key store directory. When you click this button, a copy of the keystore file is placed in the Web server directory.
    6. Return to the list of Web servers. To return to this panel, you can click Web servers in the path above the panel description.
    7. Select the Web server, click Generate Plug-in.
    8. Select the Web server again and click Propagate Plug-in.
    9. Click Save to save the changes to the master configuration.

Results

After you complete these steps, your Web server plug-in can use the new keystore file.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 4:28:44 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-mp&topic=tihs_nondefaultkeyfile
File name: tihs_nondefaultkeyfile.html