Note: If you are using WebSphere Application Server
Network Deployment Manager, you should disable security in the cell BEFORE
following the instructions below!
Creating The Custom SSL Key Files
I. Server Key File
The Server Key file is created using the Ikeyman utility. The Ikeyman
utility can be found in the $WAS_HOME\bin directory. On Windows Systems,
the file is called ikeyman.bat and on Unix/Linux systems, the file is
called ikeyman.sh.
1) Create a new jks file by selecting "Key Database File" -> "New..."
2) Enter the following information to create the key file -> Click OK
File Name: ServerKey.jks
Location Name: C:\Program Files\WebSphere\AppServer\etc
Note: Your location name should be relative to your installation of
WebSphere Application Server in the etc directory
3) Enter a password for your key file -> Click OK
4) Select "Create" -> "New Certificate Request..."
5) Enter the following information to create the certificate -> Click
OK
Key Label: WebSphere Server Key
Common Name: <hostname>
Organization: WebSphere
Organization Unit: <Organization Unit>
Locality: <City>
State: <State>
Note: The output file file defaults to $WAS_HOME\bin\certreq.arm
6) Once you have received your signed key from the Certificate Authority,
create a new file and called CAKey.arm with the certificate.
$WAS_HOME\etc\CAKey.arm
7) Select "Personal Certificates" from the pull down navigation menu
8) Click "Receive..." and select the CAKey.arm -> click OK
9) Select "Extract Certificate..."
10) Enter the following information to extract the public certificate
-> Click OK
Certificate File Name: ServerKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
Note: Your location should be relative to your installation of
WebSphere Application Server in the etc directory
II. Client Key File
The Client Key file is created using the Ikeyman utility. The Ikeyman
utility can be found in the $WAS_HOME\bin directory. On Windows Systems,
the file is called ikeyman.bat and on Unix/Linux systems, the file is
called ikeyman.sh.
1) Create a new jks file by selecting "Key Database File" -> "New..."
2) Enter the following information to create the key file -> Click OK
File Name: ClientKey.jks
Location Name: C:\Program Files\WebSphere\AppServer\etc
Note: Your location name should be relative to your installation of
WebSphere Application Server in the etc directory
3) Enter a password for your key file -> Click OK
4) Select "Create" -> "New Self-Signed Certificate..."
5) Enter the following information to create the certificate -> Click
OK
Key Label: WebSphere Client Key
Common Name: <hostname>
Organization: WebSphere
Note: The hostname should be set by default
6) Select "Extract Certificate..."
7) Enter the following information to extract the public certificate ->
Click OK
Certificate File Name: ClientKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
Note: Your location should be relative to your installation of
WebSphere Application Server in the etc directory
8) Select "Key Database File" -> Exit
III. Plugin Key File
The plugin key must be created with the GSKit utility. Note, this
procedure apply to GSK5. This utility is installed during the WebSphere
installation to the following directories (Path may vary):
Windows: C:\Program Files\IBM\GSK5\bin\gsk5ikm.exe
Solaris: /opt/ibm/gsk5\bin/gsk5ikm
HP: /opt/ibm/gsk5\bin/gsk5ikm
AIX: /usr/opt/ibm/gsk5\bin/gsk5ikm
Linux: /usr/local/ibm/gsk5\bin/gsk5ikm
1) Create a new kdb file by selecting "Key Database File" -> "New..."
2) Enter the following information to create the key file -> Click OK
File Name: PluginKey.kdb
Location Name: C:\Program Files\WebSphere\AppServer\etc
Note: Your location name should be relative to your installation of
WebSphere Application Server in the etc directory
3) Enter a password for your key file and select the check box entitled
"Stash the password to a file" -> Click OK
4) Select "Create" -> "New Self-Signed Certificate..."
5) Enter the following information to create the certificate -> Click
OK
Key Label: WebSphere Plugin Key
Common Name: <hostname>
Organization: WebSphere
Note: The IP address be set by default
6) Select "Extract Certificate..."
7) Enter the following information to extract the public certificate ->
Click OK
Certificate File Name: PluginKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
Note: Your location should be relative to your installation of
WebSphere Application Server in the etc directory
8) Select "Signer Certificates" from the pull down navigation menu
9) Select "Add..."
10) Enter the following information to add the server's public certificate
-> Click OK
Certificate File Name: ServerKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
11) Enter a label for the client key public certificate -> Click OK
Enter a label for the certificate: WebSphere Server CA
12) Select "Key Database File" -> Close
IV. Server Trust File
The Server Trust file is created using the Ikeyman utility. The Ikeyman
utility can be found in the $WAS_HOME\bin directory. On Windows Systems,
the file is called ikeyman.bat and on Unix/Linux systems, the file is
called ikeyman.sh.
1) Create a new jks file by selecting "Key Database File" -> "New"
2) Enter the following information to create the key file -> Click OK
File Name: ServerTrust.jks
Location Name: C:\Program Files\WebSphere\AppServer\etc
Note: Your location name should be relative to your installation of
WebSphere Application Server in the etc directory
3) Enter a password for your key file -> Click OK
4) Select "Add..."
5) Enter the following information to add the client's public certificate
-> Click OK
Certificate File Name: ClientKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
6) Enter a label for the client key public certificate -> Click OK
Enter a label for the certificate: WebSphere Client CA
7) Select "Add..."
8) Enter the following information to add the server's public certificate
-> Click OK
Certificate File Name: ServerKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
9) Enter a label for the server key public certificate -> Click OK
Enter a label for the certificate: WebSphere Server CA
10) Select "Add..."
11) Enter the following information to add the plugin's public certificate
-> Click OK
Certificate File Name: PluginKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
12) Enter a label for the plugin key public certificate -> Click OK
Enter a label for the certificate: WebSphere Plugin CA
Optional: If you are going to enable SSL between the LDAP server and
WebSphere, you will need to add the public certificate (X509 Format) from
the LDAP server into this key file.
13) Select "Key Database File" -> Exit
V. Client Trust File
The Client Trust file is created using the Ikeyman utility. The Ikeyman
utility can be found in the $WAS_HOME\bin directory. On Windows Systems,
the file is called ikeyman.bat and on Unix/Linux systems, the file is
called ikeyman.sh.
1) Create a new jks file by selecting "Key Database File" -> "New"
2) Enter the following information to create the key file -> Click OK
File Name: ClientTrust.jks
Location Name: C:\Program Files\WebSphere\AppServer\etc
Note: Your location name should be relative to your installation of
WebSphere Application Server in the etc directory
3) Enter a password for your key file -> Click OK
4) Select "Add..."
5) Enter the following information to add the client's public certificate
-> Click OK
Certificate File Name: ClientKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
6) Enter a label for the client key public certificate -> Click OK
Enter a label for the certificate: WebSphere Client CA
7) Select "Add..."
8) Enter the following information to add the server's public certificate
-> Click OK
Certificate File Name: ServerKey.arm
Location: C:\Program Files\WebSphere\AppServer\etc
9) Enter a label for the server key public certificate -> Click OK
Enter a label for the certificate: WebSphere Server CA
10) Select "Key Database File" -> Exit
Note: IF you are in an ND environment, you will need to copy the
ServerKey.jks, ClientKey.jks, ServerTrust.jks, and ClientTrust.jks to the
deployment manager and each node in the cell. The files should be placed
in the same directory on each node (i.e. <WAS_ROOT>/etc>).
Configuring WebSphere Application Server To Use The New Keys
Updating WebSphere Application Server
From the Administrative Console, do the following:
1) Select "Security" -> "SSL" -> "<cell>/DefaultSSLSettings"
2) Change the following entries to reflect the path and passwords of the
new keys -> Click OK
Key File Name: ${USER_INSTALL_ROOT}/etc/ServerKey.jks
Key File Password: <ServerKey.jks Password>
Trust File Name: ${USER_INSTALL_ROOT}/etc/ServerTrust.jks
Trust File Password: <ServerTrust.jks Password>
Note: If you are in an ND environment, you will need to update the
<dmgr>/DefaultSSLSettings as well with the entries above.
3) Save changes and logout
4) Restart the server process using the stopServer and startServer
commands
Note: If you are in a ND environment, you will need to restart all
Servers, Node Agents, and the Deployment Manager for the new settings to
take affect cell wide
Updating The sas.client.props File
1) Open the $WAS_HOME/properties/sas.client.props file in an editor
2) Change the following lines in the sas.client.props file to reflect the
new SSL settings -> Save the file
com.ibm.ssl.keyStore=C\:/Program
Files/WebSphere/AppServer/etc/ClientKey.jks
com.ibm.ssl.keyStorePassword=<ClientKey.jks Password>
com.ibm.ssl.trustStore=C\:/Program
Files/WebSphere/AppServer/etc/ClientTrust.jks
com.ibm.ssl.trustStorePassword=<ClientTrust.jks Password>
Note: The path to your key files will be relative to your WebSphere
installation and platform
Updating The soap.client.props File
1) Open the $WAS_HOME/properties/soap.client.props file in an editor
2) Change the following lines in the soap.client.props file to reflect the
new SSL settings -> Save the file
com.ibm.ssl.keyStore=C\:/Program
Files/WebSphere/AppServer/etc/ClientKey.jks
com.ibm.ssl.keyStorePassword=<ClientKey.jks Password>
com.ibm.ssl.trustStore=C\:/Program
Files/WebSphere/AppServer/etc/ClientTrust.jks
com.ibm.ssl.trustStorePassword=<ClientTrust.jks Password>
Note: The path to your key files will be relative to your WebSphere
installation and platform
Updating The plugin-cfg.xml File
1) Open the $WAS_HOME/config/cells/plugin-cfg.xml file in an editor
2) Change the following lines in the plugin-cfg.xml file to reflect the
new Plugin SSL key -> Save the file
<Property Name="keyring" Value="C:\Program
Files\WebSphere\AppServer\etc\PluginKey.kdb"/>
<Property Name="stashfile" Value="C:\Program
Files\WebSphere\AppServer\etc\PluginKey.sth"/>
Note: The path to your key files will be relative to your WebSphere
installation and platform
Note: You will need to change all Transports that use HTTPS in the
plugin-cfg.xml file
3) Restart your web server for the new changes to take effect
|