Friday, January 9, 2015

Certificate expire issue in Websphere Application server

RECOMMENDATION: Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
 In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents, resulting in “JSSL0080E SSL HandShake Execption”. If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work If WAS is running as a service on Windows platforms. If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node.
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell. The error is produced as a direct result of automatice cert renewal. The renewed cert should be added to Cell and Node trust stores automatically.
Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659. Local fix As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
How to create & add a new Signer certificates for existing profile.
Create new key.p12 keystore
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
Create Self Signed Cert
Alias:
Common Name:
Validity Period: 3650
Organization: xyz
Click OK
Extract certificate
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Extract certificate
Certificate file name: -key.arm ex: Server Name-key.arm
Data type: Base64-encoded ASCII data
Default location for file to be created is:
/profiles/dmgr/etc/ ex: /opt/was61/profiles/dmgr/etc/
Import certificate created trust.p12
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Alias: -key
File Name: /profiles/dmgr/etc/-key.arm
Data type: Base64-encoded ASCII data
Copy trust.p12 and key.p12 to all the nodes
FROM:
/profiles/dmgr/config/cells//trust.p12
/profiles/dmgr/config/cells//key.p12
TO: /profiles/dmgr/config/cells//nodes//trust.p12
/profiles/dmgr/config/cells/ /nodes/ /key.p12
Restart nodes and dmgr from command line. When prompted to accept certificate, accept the certificate.
Start dmgr
Sync nodes manually to dmgr. When prompted to accept certificate, accept the certificate.
8. SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
Select the certificate that you created in the following drop downs:
Default server certificate alias
Default client certificate alias
Click ->Get Certificate Aliases
Click -> OK
9. SSL certificate and key management > Manage endpoint security configurations
NOTE: This is a similar process the needs to be completed for all nodes and cells, both inbound and outbound
Select Node Level:
Change
Certificate alias in key store: Certificate that you imported
Click -> Update Certificate Alias List
Click -> OK
Repeat for Node Level – Inbound and Outbound
Repeat for Cell Level – Inbound and Outbound

No comments:

Post a Comment