Configuring certificate expiration monitoring

When certificates expire, they can no longer be used by the system. WebSphere Application Server provides a utility to monitor certificates that are close to expiration or have already expired. You can schedule certificate monitoring, or you can request certificate monitoring on demand. You can also configure options for deleting expired certificates and for recreating certificates.

Before you begin

Important: The Certificate Expiration Monitor does not handle replacing client self-signed certificates and is not capable of sending the new signer certificate needed for trust. If the client is a web server plug-in, it will not be able to securely communicate with the application server after self-signed certificate replacement.
WebSphere Application Server notifies you when a certificate is about to expire. Complete the information required for notification messaging in Notifications.

About this task

Complete the following configuration steps in the administrative console:

Procedure

  1. Click Security > SSL certificate and key management > Manage certificate expiration.
  2. Type a number for the number of days threshold in the Expiration notification threshold field. WebSphere Application Server issues an expiration warning n number of days before expiration.
  3. Select or check one or more of the following options:
    • Expiration check notification. Select the method from the list that you want to use to receive your notification.
    • Automatically replace expiring self-signed certificates. If you do not want to recreate the self-signed certificate, clear the check box.
    • Delete expiring certificates and signers after replacement. If you do not want to delete the expired certificates and signers, clear the check box.
    • Enable checking. If you do not want to have certificate monitoring enabled, clear the check box.
  4. Enter the time of day when you want certificate monitoring to take place to schedule the running of the certificate expiration monitor.
  5. Select one of the following options:
    • Check by calendar. For Weekday, enter the day of week that you want to run the certificate expiration monitor. For Repeat Interval, specify the frequency to run the certificate monitor.
    • Check by number of days. Enter a number for how frequently the monitor runs, in number of days.
  6. Click Apply.

Results

After completing the settings, a certificate expiration monitor object and a schedule are set up in the configuration. The certificate expiration monitor runs according to the configurations options that you configured.

What to do next

You can generate reports that state which certificates have expired. The reports identify the notifications of certificate replacements and deletions. The report is sent according to the notification option that you specified.

If you have client self-signed certificates and the automatic replacement has occurred, an SSL communication error will be experienced. Secured communication between the client and application server can be restored by ensuring the client truststore contains the correct signer certificate. For the plug-in client, when the self-signed certificate on the server gets replaced, the correct signer is placed in the plug-in keystore, profile_root\config\cells\cell_name\nodes\node_name\servers\webserver1\plugin-key.kdb. The plug-in keystores containing the new signers will need to get manually copied to the correct plug-in location. After the keystore containing the new signers is copied to the correct plug-in location, the web server will need to be restarted before it can resume successful SSL communications to the web container.




In this information ...


Related concepts

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Feb 19, 2011 5:25:36 AM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v610web&product=was-nd-mp&topic=tsec_sslconfcertexpmon
File name: tsec_sslconfcertexpmon.html