Monday, 3 November 2014

ISAMESSO : Replacing the IBM HTTP Server SSL certificate with an SSL certificate signed by a third-party CA

Make sure that:
  • you have installed and configured WebSphere® Application Server 7.0 with minimum fix pack 5 in your computer
  • you have installed and configured IBM® HTTP Server 7.0 in your computer
  • you have a copy of the third-party CA certificate file, in Base64-encoded ASCII or binary DER format
  • you have a copy of the SSL certificate signed by the third-party CA and its corresponding private key
    Note: the SSL certificate and its private key must be stored in a keystore file with any one of the following supported types:
    • JKS
    • JCEKS
    • PKCS11
    • PKCS12
    • CMSKS
    • PKCS12JarSigner
  • the third-party CA certificate has been distributed to the computers where AccessAgent is installed, and
  • the certificate must be imported into the Trusted Root Certification Authorities container of the Computer account in the Windows® Certificate Store
    Note: AccessAgent does not work if the third-party CA that signs the IBM HTTP Server SSL certificate is not trusted by Windows, on which the AccessAgent is installed.
Procedure
  1. Log on to the IBM Integrated Solutions Console.
  2. Add the third-party CA certificate to the WebSphere Application Server truststores.
    Note:
    • If you are using a standalone WebSphere Application Server, complete step 2 for the NodeDefaultTrustStore.
    • If you are using a WebSphere Application Server Network Deployment cluster, complete step 2 for the CellDefaultTrustStore and every NodeDefaultTrustStore.
    1. On the Integrated Solutions Console left navigation pane, select Security > SSL certificate and key management.
    2. Under Related Items, click Key stores and certificates.
    3. Click the <truststore name>. For example, NodeDefaultTrustStore or CellDefaultTrustStore.
    4. Under Additional Properties, click Signer certificates.
    5. Click Add.
    6. In the Alias field, enter an alias name for the third-party CA certificate. For example, rootca.
    7. In the File name field, enter the file path to the third-party CA certificate file. For example, C:\rootca.der.
    8. From the Data type list, select the format of the certificate file.
    9. Click OK.
    10. Changes have been made to the local configuration. Click Save.
  3. If you are using a standalone WebSphere Application Server, restart the WebSphere Application Server.
    If you are using a WebSphere Application Server Network Deployment cluster, perform a full resynchronization of the nodes; restart the cluster; and start the IMS Server.
    To perform a full resynchronization of the nodes:
    1. On the Integrated Solutions Console left navigation pane, select System administration > Nodes.
    2. Select the check boxes of the nodes where the IMS Server is installed.
    3. Click Full Resynchronize.
    To restart the cluster:
    1. On the Integrated Solutions Console left navigation pane, select Servers > Clusters > Websphere Application server clusters.
    2. Select the check box of the cluster.
    3. Click Stop.
    4. Select the check box of the cluster.
    5. Click Start.
    To start the IMS Server:
    1. On the Integrated Solutions Console left navigation pane, click Applications > Application Types > WebSphere enterprise applications.
    2. Select the TAM E-SSO IMS check box from the list of applications.
    3. Click Start.
Note: Complete steps 4-7 for all IBM HTTP Servers configured to front the WebSphere Application Servers.

  1. Delete the current IBM HTTP Server SSL certificate.
    1. On the Integrated Solutions Console left navigation pane, select Servers > Server Types > Web servers.
    2. Click the Web server name whose SSL certificate is to be replaced.
    3. Under Additional Properties, click Plug-in properties.
    4. Under Plug-in properties, click Manage keys and certificates.
    5. Under Additional Properties, click Personal certificates.
    6. Select the check box of the default certificate.
    7. Click Delete.
    8. Changes have been made to the local configuration. Click Save.
  2. Import the new IBM HTTP Server SSL certificate.
    1. Still on the same page, click Import.
    2. Select Key store file.
    3. In the Key file name field, enter the path to the keystore file that contains the new SSL certificate. For example, C:\keystore.p12.
    4. From the Type list, select the keystore type.
    5. In the Key file password field, enter the keystore password.
    6. Click Get Key File Aliases.
    7. Select the certificate alias to be imported from the list. For example, sslcert.
    8. In the Imported certificate alias field, enter default.
    9. Click OK.
    10. Changes have been made to the local configuration. Click Save.
  3. Synchronize the change to IBM HTTP Server.
    1. On the Integrated Solutions Console left navigation pane, select Servers > Server Types > Web servers.
    2. Click the Web server name.
    3. Under Additional Properties, click Plug-in properties.
    4. Under Plug-in properties, click Copy to Web server key store directory.
  4. Restart the IBM HTTP Server. 
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)