Federating a Node When Using Custom SSL Certificates
 Technote (troubleshooting)
 
Problem(Abstract)
When federating a node into a deployment manager, if either the node or the deployment manager are not using the dummy certificates, extra steps need to be followed to make sure that the node is federated properly.
 
Resolving the problem
Before federating the node, there are some settings that should be checked to ensure that the application server you are about to federate will not have SSL communication errors once added to the deployment manager:
  • The application server should trust the deployment manager. This means that the application server's trust store file must contain the deployment manager's certificate. If it does not, add it now.
  • The deployment manager should also trust the node. The deployment manager's trust store file should contain the application server's certificate. If it does not, add it now.
  • If you have multiple application servers in the cell, and want them to communicate over SSL with each other, make sure to share their certificates if they don't use the same certificate.
  • Please note that the only way to add a node when security is enabled is with the addNode command (this is either addNode.sh or addNode.bat in the bin directory of the application server, depending on the platform). It cannot be done through the administrative console.

Steps to follow:
  1. Run the addNode command with the options you plan to use (such as the host name and port for the deployment manager) but make sure to add the -noagent option. If the -noagent option is not used, the addNode process will hang. With this option the node agent will not be started by the addNode command. It is the starting of the node agent that causes the hang.
  2. Once the addNode command has finished, access the administrative console and navigate to System Administration -> Node Agents.
  3. Click on the node agent that was just created for the new node.
  4. Click on Administration Services and then JMX Connectors.
  5. Select the SOAPConnector.
  6. Click Custom Properties.
  7. There should be an sslConfig property here. Make sure that the value of this variable is the same as the SSL repertoire that the application server for this node agent is using. To find out which SSL repertoire the application server is using do the following:
    1. Navigate to Servers -> Application Servers in the administrative console and select the server you just added.
    2. Click on Administration Services and then JMX Connectors.
    3. Select the SOAPConnector.
    4. Click Custom Properties.
    5. The sslConfig property here is the one the node agent should also use.
  8. After the sslConfig property for the node agent is changed, click OK and save the changes. Be sure that 'Synchronize changes with Nodes' is enabled when you save the configuration.
  9. On the application server that you just added, run the syncNode command (syncNode.bat or syncNode.sh in the bin directory of the application server). Note: It is important that both the application server and node agent are not running at this time. If they have been started make sure both are stopped before running syncNode.
  10. Start the node agent and application server once the syncNode command is complete. The administrative console should show that the server is running and synchronized properly.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > System Management/Repository
Operating system(s): Windows
Software version: 5.0
Software edition:
Reference #: 1197155
IBM Group: Software Group
Modified date: Jan 31, 2005