WebSphere Virtual Enterprise (formerly Operations Optimization), Version 6.1
             Operating Systems: AIX, HP-UX, Linux, Solaris, Windows


Manually replacing SSL certificates for the middleware agent

If your existing middleware agent Secure Sockets Layer (SSL) certificates expire, manually replace the certificates from within the administrative console.

Before you begin

You must be able to access the deployment manager for each cell with which you want to communicate.

About this task

Renew expired SSL certificates so the middleware agent can continue to securely communicate with the deployment manager and nodes.

Procedure

  1. Run the backupConfig command on the deployment manager.
    • [For Linux operating system] [For Unix operating system]
      ./backupConfig.sh backup_file [options]
    • [For Windows operating system]
      backupConfig.bat backup_file [options]
  2. Stop the middleware agent.
    • In the administrative console, click System administration > Middleware nodes . Select the specific middleware agent, and select Stop agent from the Select operational action menu. Click Run.
    • From the command line, run the stopAgent.sh|.bat command from the agent_install_root/bin directory.
  3. Create a new middleware agent certificate.
    1. Click Security > SSL certificate and key management > Manage endpoint security configurations > node_name > Manage certificates.
    2. Click Create a self-signed certificate.
    3. Enter the following attributes for the new certificate, and click OK:
      • Alias: node_name_default
      • Common name: host_name
      • Validity of period: number_of_days
      • Organization: company_name
      Click Save to save your changes.
  4. Replace the existing certificate with the new certificate.
    1. Click Security > SSL certificate and key management > Manage endpoint security configurations > node_name > Manage certificates. Select the existing certificate, and click Replace.
    2. Select and accept the new certificate.
      Avoid trouble: Do not select Delete old certificate after replacement or Delete old signers.gotcha
    3. Select the existing certificate, and click Delete > OK. Click Save to save your changes.
  5. Add the signer certificate for the node to the CellDefaultTrustStore key store.
    1. Click Security > SSL certificate and key management > Manage endpoint security configurations > node_name . Select Key stores and certificates.
    2. Select NodeDefaultKeyStore and CellDefaultTrustStore, and click Exchange signers.
    3. Select the certificate you created in step 3, and click Add. Click OK, and click Save to save your changes.
  6. Delete the existing certificates, and extract the new certificates.
    1. Click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
    2. Select the existing certificates, and click Delete.
      Tip: To verify which certificates to delete, compare the fingerprint or expiration dates with the personal certificate in the key stores.
  7. Stop the deployment manager.
    • In the administrative console, click System administration > Deployment manager > Stop.
    • From the command line, run the stopManager.sh|.bat command from the profile_root/bin directory of the deployment manager profile.
  8. Copy the trust.p12 and key.p12 files from the deployment manager node to the middleware agent node. The trust.p12 and key.p12 files are in the profile_root/dmgr/config/cells/cell_name/nodes/middleware_agent_node directory.
  9. From the install_root/config/cells/cell_name/nodes/node_name directory on the middleware agent node, save the trust.p12 and key.p12 files to a backup directory. Copy the trust.p12 and key.p12 files that you copied in step 8 to the directory.
  10. Start the deployment manager. Run the startManager.sh|.bat command.
  11. Start the middleware agent.
    • In the administrative console, click System administration > Middleware nodes . Select the specific middleware agent, and select Start agent from the Select operational action menu. Click Run.
    • From the command line, run the startAgent.sh|.bat command from the agent_install_root/bin directory.



Related tasks
Configuring a high availability deployment manager environment
Enabling communication between cells that have security enabled
Task topic    

Terms of Use | Feedback

Last updated: Oct 30, 2009 6:18:07 PM EDT
http://publib.boulder.ibm.com/infocenter/wxdinfo/v6r1/index.jsp?topic=/com.ibm.websphere.ops.doc/info/odoe_task/txdagentssl.html