By default, the plugin-key.kdb keystore
file is used by a Web server. However, you can configure your Web
server to use another keystore file.
About this task
Complete the following steps in the administrative console
to change your configuration so that it does not use the default keystore
file:
Procedure
- Set up a new keystore. Complete the following
steps:
- Expand Security and click SSL
certificate and key management.
- Under Related Items, click .
- Specify a name for the new keystore configuration in
the Name field.
- Specify the path to the keyfile in the Path field.
You can specify one of the following paths:
- The fully qualified path from the root to the repository for the
Web server within the product tree
- A path that uses the ${CONFIG_ROOT} variable
and the path starting from /cells.
For example:
- C:\Program Files\IBM\WebSphere\AppServer\profiles\profile_name\config\cells/cell_name/nodes/node_name/servers/server_name/NewKey3.kdb
- ${CONFIG_ROOT}/cells/cell_name/nodes/node_name/servers/server_name/NewKey3.kdb
Avoid trouble: Verify that the
pattern of forward slashes and back slashes matches other keystore
file paths in the administrative console.
gotcha
- Specify the password for the keyfile in the Password and Confirm
password fields.
- Select CMSKS from the Type menu.
- Click OK.
- Click Save to save the changes
to the master configuration.
When you complete these steps, a new keystore file exists
within the specified profile repository.
- Add the signer certificate to the new keystore for authentication.
Complete the following steps:
- Expand Security and click SSL
certificate and key management.
- Ensure that the Dynamically update the run
time when SSL configuration changes occur checkbox is
selected. This checkbox ensures that the changes to the
configuration are propagated to the runtime immediately after you
save the configuration. This function requires that you restart your
application server to become active. If you enable this function,
ensure that you make Secure Socket Layer (SSL) configuration changes
when the system traffic volume is low to prevent an impact on performance.
- Under Configuration settings,
click Manage endpoint security configurations.
- Expand the Inbound or outbound topology listings and
the cell name to see a list of the nodes.
- Copy the list of nodes into a text file.
- Extract the personal certificates and record their related
information for each of the nodes. Complete the following
steps:
- Click SSL certificate and key management in
the path above the panel description.
- Under Related Items, click Key
stores and certificates.
- Click the name of the keystore.
- Under Additional properties, click Personal
certificates.
- Record the serial number of the default certificate.
- Select the check box in the default certificate row and click Extract.
- Enter both the path and file name for the certificate in the Certificate
file name field.
- Record the path and file name with the serial number of the certificate
that you previously recorded.
- Click OK.
- Click Save to save the changes to the master
configuration.
You must complete this step for each node in your configuration.
Avoid trouble: If you create a cell profile after your initial
installation of the application server, both the cell manager node
and the stand-alone node might have the same certificate and same
serial number. Record the identical information.
gotcha
- Return to the Manage endpoint security configurations panel.
To return to this panel, complete the following steps:
- Click SSL certificate and key management in
the path above the panel description.
- Under Configuration settings, click Manage
endpoint security configurations.
- Locate and click the name of the Web server configuration.
- Under Related Items, click Key
stores and certificates.
- Click the name of the keystore that is associated with
the Web server.
- Under Additional Properties,
click Signer certificates.
- Compare the signer certificates in this list to the
certificates that you previously extracted.
- Click Add and add the missing
certificates to the list.
- Enter the alias for the certificate and its file path
to the Alias and File name fields.
You do not need to change the value for the Data
type field.
- Click OK.
- Click Save to save the changes
to the master configuration.
- Adjust the plug-in settings to use the new keystore file.
- Expand .
- Under Additional Properties,
click Plug-in properties.
- Change the file name in the Plug-in key store
file name field to the name of the keystore file that
you created in step 1.
Avoid trouble: The file
name must match.
gotcha
- Change the path to the keystore file in the Plug-in
key store directory and file name field.
- Click Copy to Web server key store directory.
When you click this button, a copy of the keystore file is placed
in the Web server directory.
- Return to the list of Web servers. To return
to this panel, you can click Web servers in
the path above the panel description.
- Select the Web server, click Generate Plug-in.
- Select the Web server again and click Propagate
Plug-in.
- Click Save to save the changes
to the master configuration.
Results
After you complete these steps, your Web server plug-in can
use the new keystore file.