Starting in WebSphere® Application
Server Version 7.0, you have several options available during profile
creation concerning the default certificate and root certificate of
the server.
The new certificate options enable you to:
- Import the default
certificate of the server
- Import the root certificate of the
server
- Customize the default certificate subjectDN and validity
period
of the server
- Customize the root certificate subjectDN and
validity period of
the server
Two new panels are available during profile
creation that enable
you to make decisions about the default certificate and root certificate
of the server.
The first panel, titled Security Certificate
(Part 1), enables
you to choose to import a certificate or to have WebSphere Application Server create the
default certificate or the default root certificate of the server
for you.
The second panel, titled Security Certificate (Part
2), either
displays the information from the certificate imported from the previous
panel, or, if you choose to have WebSphere Application
Server create the certificate, enables you to change the subjectDN
and the certificate validity period.
Customization of certificates
can also be performed by using the
manageprofile command and from a silent install response file.
Importing the default certificate of the server during
profile creation
If the default certificate of the server
is imported during profile creation, it is added to NodeDefaultKeyStore
if on a stand-alone application server, or to CellDefaultKeyStore
if on a deployment manager. The imported certificate signer is added
to NodeDefaultTrustStore or CellDefaultTrustStore.
To import
the default certificate of the server, you must have a personal certificate
stored and a keystore that you have access to. You must know the location,
type and password of the keystore. On the Security Certificate (Part
1) panel, do the following:
- Select Import an existing default
personal certificate.
- Type or select the keystore file
name.
- Enter the password of the keystore.
- Select a
keystore type from the pull-down list.
- If you have correctly
filled in all information from the previous
3 steps, you are able to select a certificate alias from the pull-down
list.
The certificate you choose is imported to the
default
keystore of the server. The next panel, Security Certificate (Part
2) displays the issuedTo and issuedBy certificate information.
If
you use the manageprofiles command to import the default certificate,
the options are:
- -importPersonalCertKS keystore_path
- the keystore file location
- -importPersonalCertKSType
keystore_type
- the type of the keystore
- -importPersonalCertKSPassword keystore_password
- the password
to open the keystore
- -importPersonalCertKSAlias
keystore_alias
- the alias of the certificate used from the
keystore
Importing
the root certificate of the server during
profile creation
If the server root certificate is imported
during profile creation, the certificate is added to NodeDefaultRootStore
on a stand-alone application server or to DmgrDefaultRootStore on
a deployment manager. The signer is pulled from the imported root
certificate and added to NodeDefaultTrustStore or CellDefaultTrustStore.
The root certificate is used by WebSphere Application
Server to sign any chained certificates it creates. If no default
certificate is provided during profile creation, WebSphere Application Server uses the root
certificate to sign the default certificate of the server.
To
import the default certificate of the server, you must have a personal
certificate stored and a keystore that you have access to. You must
know the location, type and password of the keystore. On the Security
Certificate (Part 1) panel, do the following:
- Select Import
an existing root signing certificate.
- Type or select the
keystore file name.
- Enter the password of the keystore.
- Select
a keystore type from the pull-down list.
- If you have correctly
filled in all information from the previous
3 steps, you are able to select a certificate alias from the pull-down
list.
The certificate you choose is imported to the
root keystore
of the server. The next panel, Security Certificate (Part 2) displays
the issuedTo and issuedBy certificate information.
If you use
the manageprofiles command to import the root certificate, the options
are:
- -importSigninglCertKS keystore_path
- the
keystore file location
- -importSigningCertKSType
keystore_type
- the type of the keystore
- -importSigningCertKSPassword keystore_password
- the password
to open the keystore
- -importSigningCertKSAlias
keystore_alias
- the alias of the certificate used from the
keystore
Customizing
the default certificate created by WebSphere Application
Server
If
you choose to let WebSphere Application
Server create the default certificate of the server, you can customize
the subject distinguished name (DN) and the life span of the certificate.
To
customize the default certificate of the server on the Security Certificate
(Part 1) panel, do the following:
- Select Create a
new default personal certificate.
- On the next panel,
Security Certificate (Part 2), the Issued
to distinguished name field contains the WebSphere Application Server default DN.
Replace this with your customized DN.
- In Expiration period
in years, select the number of years you
want the certificate to be valid for.
If you use
the manageprofiles command to customize
the default certificate, the options are:
- -personalCertDN
distinguished_name
- the DN to give to the certificate
- -personalCertValidityPeriod validity_period
- the life span to give to the certificate
Customizing the root certificate created by WebSphere Application Server
If
you choose to let WebSphere Application
Server create the root certificate, you can customize the DN of the
certificate and the life span of the certificate.
To customize
the root certificate of the server on the Security Certificate (Part
1) panel, do the following:
- Select Create a new root signing
certificate.
- On the next panel, Security Certificate (Part
2), the Issued by
distinguished name field contains the WebSphere Application Server default root
certificate DN. Replace this with your customized DN.
- In
Expiration period in years, select the number of years you
want the root certificate to be valid for.
If
you use the manageprofiles command to customize
the root certificate, the options are:
- -signingCertDN
distinguished_name
- the DN to give to the root certificate
- -signingCertValidityPeriod validity_period
- the life span to give to the root certificate