Why and when to perform this task
Secure Sockets Layer (SSL) connections rely on the existence of digital certificates. A digital certificate reveals information about its owner, including their identity. During the initialization of an SSL connection, the server must present its certificate to the client for the client to determine the server identity. The client can also present the server with its own certificate for the server to determine the client identity. SSL is therefore, a means of propagating identity between components. Refer to Configuring Secure Sockets Layer and Creating a Secure Sockets Layer repertoire configuration entry.A client can trust the contents of a certificate if that certificate is digitally signed by a trusted third party. A Certificate Authority (CA) acts as a trusted third party and signs certificates on the basis of its knowledge of the certificate requestor. Complete the following steps to manage digital certificates using either the key management utility (iKeyman) or the keytool utility:
Note: If certificates are updated in a federated environment, each node in the cluster must be recycled. It is important that each node is recycled at the same as recycling the servers one by one will not update the certificates.
${WAS_HOME}/java/bin/keytool -genkey -keyalg RSA -dname "cn=rocaj, ou=users, u=uk, DC=internetchaos, DC=com" -alias rocaj -keypass websphere -keystore testkeyring.jks -storepass websphere
The previous three lines of code belong on one line, but were split onto three lines due to the width of the page.
The keytool utility creates the key store called testkeyring.jks.
${WAS_HOME}/java/bin/keytool -genkey -keyalg RSA -dname "cn=amorv, ou=users, ou=uk, DC=internetchaos, DC=com" -alias amorv -keypass websphere -keystore testkeyring.jks -storepass websphere
The previous three lines of code belong on one line, but were split onto three lines due to the width of the page.
Now the keystore testkeyring.jks contains two self-signed certificates with the owner being the same as the issuer for each certificate.
${WAS_HOME}/java/bin/keytool -v certreq -alias rocaj -file rocajReq.csr -keypass websphere -keystore testkeyring.jks -storepass websphere
The previous two lines of code belong on one line, but were split onto two lines due to the width of the page.
cat rocajReq.csr |tr -d "\r"
${WAS_HOME}/java/bin/keytool -v -certreq -alias amorv -file amorvReq.csr -keypass websphere -keystore testkeyring.jks -storepass websphere
The previous two lines of code belong on one line, but were split onto two lines due to the width of the page.
cat amoryReq.csr |tr -d "\r"
${WAS_HOME}/java/bin/keytool -import -alias "Thawte Test CA Root" -file ThawteTestCA.arm -keystore testkeyring.jks -storepass websphere
The previous two lines of code belong on one line, but were split onto two lines due to the width of the page.
${WAS_HOME}/java/bin/keytool -import -trustcacerts -alias rocaj -file rocajRec.arm -keystore testkeyring.jks -storepass websphere. Certificate reply was installed in keystore
The previous three lines of code belong on one line, but were split onto three lines due to the width of the page.
${WAS_HOME}/java/bin/keytool -import -trustcacerts -alias amorv -file amorvRec.arm -keystore testkeyring.jks -storepass websphere. Certificate reply was installed in keystore
The previous three lines of code belong on one line, but were split onto three lines due to the width of the page.
Example
What to do next
Once you finish configuring security, perform the following steps to save, synchronize, and restart the servers: