Default chained certificate configuration in SSL
When a WebSphere® Application Server process starts for the first time, the Secure Sockets Layer (SSL) run time initializes the default keystores and truststores that are specified in the SSL configuration.
The chained certificates created during profile creation have a 1 year life span by default. The default root certificate used to signer the default chained certificate has a life span of 15 years. The life span of the default and the root certificates can be customized during profile creation. An advantage in this type of chained certificate is that only the signer from the root certificate is needed to establish trust. When the chained certificate is regenerated with the same root certificate, clients using that root signer certificate for trust do not lose their trust.
- Default keystore and truststore properties
- WebSphere Application Server creates the key.p12 default
keystore file and the trust.p12 default truststore file during profile creation. A
default, chained certificate is also created in the key.p12 file. The root signer, or public
key, of the chained certificate is extracted from the key.p12 file and added to the
trust.p12 file. If the files do not exist during process startup, they are re-created during
startup.
You can identify keystore and truststore defaults because of their suffixes: DefaultKeyStore and DefaultTrustStore. Also, in the SSL configuration, you must set the fileBased attribute to true so that the runtime environment only uses the default keystores and truststore.
On a base application server, default key and truststores are stored in the node directory of the configuration repository. For example, the default key.p12 and trust.p12 stores are created with thedefault
AppSrv01 profile name, the myhostNode01Cell name, and the myhostNode01 node name. The keystore and truststore are located in the following directories:
C:\WebSphere\AppServer\profiles\AppSrv01\config\cells\myhostNode01Cell \nodes\myhostNode01\key.p12
C:\WebSphere\AppServer\profiles\AppSrv01\config\cells\myhostNode01Cell \nodes\myhostNode01\trust.p12
${WAS_INSTALL_ROOT}/profile/default/config/cells/myhostNode01Cell/nodes/myhostNode01/key.p12
${WAS_INSTALL_ROOT}/profile/default/config/cells/myhostNode01Cell/nodes/myhostNode01/trust.p12
The default password is WebAS for all default keystores generated by WebSphere Application Server. Change the default password after the initial configuration for a more secure environment.
- Default chained certificate
- The default chained certificate of the server along with a root self-signed certificate used to
sign the default chained certificate are created during profile creation. Root certificate properties:
Information Value type self-signed size 2048 signature algorithm SHA256withRSA SubjectDN cn=${hostname},ou=Root Certificate, ou=<node name>, ou= <cell name>,o=IBM,c=US lifespan 15 years Default certificates properties:Information Value type chained (signed by the root certificate) size 2048 signature algorithm SHA256withRSA SubjectDN cn=${hostname},ou=<node name>,ou=<cell name>,o=IBM,c=US lifespan 1 year You can re-create the certificates with different information simply by deleting the *.p12 files in /config and /etc. Change the four properties in the next code example to the values you want the certificates to contain, then restart the processes. This causes the server certificate in /config and the client certificate in /etc to differ.
The certificate properties in the next code example exist in the ssl.client.props file, but do not exist in the server configuration. However, you can use these values in the server configuration by adding them as custom security properties in the administrative console. Click Security > Global security > Custom properties to change the following properties:com.ibm.ssl.defaultCertReqAlias=default_alias com.ibm.ssl.defaultCertReqSubjectDN=cn=${hostname},ou=myhostNode01,ou=myhostNode01Cell,o=IBM,c=US com.ibm.ssl.defaultCertReqDays=365 com.ibm.ssl.defaultCertReqKeySize=1024 com.ibm.ssl.rootCertSubjectDN=cn=${hostname},ou=Root Certificate, ou=myhostNode01, ou=myhostNode01Cell,o=IBM,c=US com.ibm.ssl.rootCertValidDays=7300 com.ibm.ssl.rootCertAlias=root com.ibm.ssl.rootCertKeySize=1024
After changing the properties, complete the following actions:- Delete the default key.p12 keystore and trust.p12 truststore files for the deployment manager, which contain the default chained certificate. If the keystore and truststore file do not exist, WebSphere Application Server automatically generates them and creates new default certificates using the previously listed property values.
- Delete the root keystore, which is the root-key.p12 file, to regenerate the root certificate with the previously listed properties.
- Restart the deployment manager, its node, and all of the servers.
- Sign each node using the root certificate.
- If the nodes are not federated, federate each node into the deployment manager using the addNode command. The default certificate for the node is regenerated using the root certificate for the cell.
- If the nodes are federated, renew the certificate for each node using the root certificate for the cell. You can renew the certificate using the administrative console or using the renewCertificate command. For more information, see the renewing a certificate and the renewCertificate command documentation.
If a default_alias value already exists, the run time appends _#, where the number sign (#) is a number that increases until it is unique in the keystore. ${hostname} is a variable that is resolved to the host name where it was originally created. The default expiration date of chained certificates is one year from their creation date.
The run time monitors the expiration dates of chained certificates using the certificate expiration monitor. These chained certificates are automatically replaced along with any signer certificates when they are within the expiration threshold, which is typically 30 days before expiration. You can increase the default key size beyond 1024 bits only when the Java™ runtime environment policy files are unrestricted (that is, not exported). For more information, see Certificate expiration monitoring in SSL.
- Default keystore and truststore configurations for new Base Application Server processes
- The following sample code shows the default SSL configuration
for a base application server. References to the default keystores
and truststores files are highlighted.
<repertoire xmi:id="SSLConfig_1" alias="NodeDefaultSSLSettings" managementScope="ManagementScope_1"> <setting xmi:id="SecureSocketLayer_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_1" keyManager="KeyManager_1"/> </repertoire>
- Default keystore
- In the following sample code, the keystore object that represents the default keystore is
similar to the XML object.
<keyStores xmi:id="KeyStore_1" name="NodeDefaultKeyStore" password="{xor}349dkckdd=" provider="IBMJCE" location="${WAS_INSTALL_ROOT}/config /cells/myhostNode01Cell/nodes/myhostNode01/key.p12" type="PKCS12" fileBased="true" hostList="" initializeAtStartup="true" managementScope="ManagementScope_1"/>
The NodeDefaultKeyStore keystore contains the personal certificate that represents the identity of the secure endpoint. Any keystore reference can use the ${WAS_INSTALL_ROOT} variable, which is expanded by the run time. The PKCS12 default keystore type is in the most interoperable format, which means that it can be imported into most browsers. The myhostNode01Cell password is encoded. The management scope determines which server run time loads the keystore configuration into memory, as shown in the following code sample:<managementScopes xmi:id="ManagementScope_1" scopeName=" (cell):myhostNode01Cell:(node):myhostNode01" scopeType="node"/>
Any configuration objects that are stored in the security.xml file whose management scopes are outside the current process scope are not loaded in the current process. Instead, the management scope is loaded by servers that are contained within the myhostNode01 node. Any application server that is on the specific node can view the keystore configuration.
When you list the contents of the key.p12 file to show the chained certificate, note that the common name (CN) of the distinguished name (DN) is the host name of the resident machine. This listing enables you to verify the host name by its URL connections. Additionally, you can verify the host name from a custom trust manager. For more information, see Trust manager control of X.509 certificate trust decisions.
- Contents of default keystore
- The following sample code shows the contents of the default key.p12 file in a keytool
list:
keytool -list -v -keystore c:\WebSphere\AppServer\profile\AppSrv01\profiles\config \cells\myhostNode01Cell\nodes\myhostNode01\key.p12 -storetype PKCS12 -storepass *****
${profile_root}\config\cells\${cellname}\nodes\${nodename}> keytool -list -v -keystore ${WAS_INSTALL_ROOT}/profile/default/config/cells/myhostNode01Cell /nodes/myhostNode01/key.p12 -storetype PKCS12 -storepass *****
Keystore type: PKCS12 Keystore provider: IBMJCE Your keystore contains 1 entry Alias name: default Creation date: Dec 31, 1969 Entry type: keyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=myhost.austin.ibm.com, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US Issuer: CN=myhost.austin.ibm.com, OU=Root Certificate, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US Serial number: 4e48f29aafea6 Valid from: 2/7/08 1:03 PM until: 2/6/09 1:03 PM Certificate fingerprints: MD5: DB:FE:65:DB:40:13:F4:48:A4:CE:2F:4F:60:A5:FF:2C SHA1: A1:D4:DD:4B:DE:7B:45:F7:4D:AA:6A:FC:92:38:78:53:7A:99:F1:DC Certificate[2]: Owner: CN=myhost.austin.ibm.com, OU=Root Certificate, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US Issuer: CN=myhost.austin.ibm.com, OU=Root Certificate, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US Serial number: 4e48e5fd4eae3 Valid from: 2/7/08 1:03 PM until: 2/2/28 1:03 PM Certificate fingerprints: MD5: A5:9B:05:78:CF:AB:89:94:C9:2E:F1:87:34:B3:FC:75 SHA1: 43:74:B6:C7:FA:C1:0F:19:F2:51:2B:17:60:0D:34:93:55:BF:D5:D2 ******************************************* *******************************************
The default alias name and the keyEntry entry type indicate that the private key is stored with the public key, which represents a complete personal certificate. The certificate is owned byCN=myhost.austin.ibm.com, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US and it is issued by the default root certificate, which is owned byCN=myhost.austin.ibm.com, OU=Root Certificate, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US By default, the certificate is valid for one year from the date of creation.
Additionally, in some signer-exchange situations, the certificate fingerprint ensures that the sent certificate has not been modified. The fingerprint, which is a hash algorithm output for the certificate, is displayed by the WebSphere Application Server run time during an automated signer exchange on the client side. The client fingerprint must match the fingerprint that is displayed on the server. The run time typically uses the SHA1 hash algorithm to generate certificate fingerprints.
- Default truststore
- In the following sample code, the keystore object represents the
default trust.p12 truststore. The truststore contains
signer certificates that are necessary for making trust decisions:
<keyStores xmi:id="KeyStore_2" name="NodeDefaultTrustStore" password="{xor}349dkckdd=" provider="IBMJCE" location="${WAS_INSTALL_ROOT} /config/cells/myhostNode01Cell/nodes/myhostNode01/trust.p12" type="PKCS12" fileBased="true" hostList="" initializeAtStartup="true" managementScope="ManagementScope_1"/>
- Contents of default truststore
- The following sample code shows the contents of the default trust.p12 truststore
in a keytool listing. By default, for the sample chained certificate,
the root certificate signer is included in the trust store. The root
signer alias name and the trustedCertEntry entry type indicate that
the certificate is the public key. The private key is not stored in
this truststore. In addition, all truststores contain the default
DataPower certificate.
keytool -list -v -keystore c:\WebSphere\AppServer\profile\AppSrv01\profiles\config\cells\myhostNode01Cell \nodes\myhostNode01\trust.p12 -storetype PKCS12 -storepass *****
${profile_root}\config\cells\${cellname}\nodes\${nodename}> keytool -list -v -keystore ${WAS_INSTALL_ROOT}/profile/default/config/cells/myhostNode01Cell /nodes/myhostNode01/trust.p12 -storetype PKCS12 -storepass *****
Keystore type: PKCS12 Keystore provider: IBMJCE Your keystore contains 2 entries Alias name: root Creation date: Dec 31, 1969 Entry type: trustedCertEntry Owner: CN=myhost.austin.ibm.com, OU=Root Certificate, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US Issuer: CN=myhost.austin.ibm.com, OU=Root Certificate, OU=myhostNode01Cell, OU=myhostNode01, O=IBM, C=US Serial number: 4e48e5fd4eae3 Valid from: 2/7/08 1:03 PM until: 2/2/28 1:03 PM Certificate fingerprints: MD5: A5:9B:05:78:CF:AB:89:94:C9:2E:F1:87:34:B3:FC:75 SHA1: 43:74:B6:C7:FA:C1:0F:19:F2:51:2B:17:60:0D:34:93:55:BF:D5:D2 ******************************************* ******************************************* Alias name: datapower Creation date: Dec 31, 1969 Entry type: trustedCertEntry Owner: OU=Root CA, O="DataPower Technology, Inc.", C=US Issuer: OU=Root CA, O="DataPower Technology, Inc.", C=US Serial number: 0 Valid from: 6/11/03 1:23 PM until: 6/6/23 1:23 PM Certificate fingerprints: MD5: 18:AC:86:D1:9A:90:A2:AE:8B:28:F9:A8:75:C8:A9:DB SHA1: A9:BA:A4:B5:BC:26:2F:5D:2A:80:93:CA:BA:F4:31:05:F2:54:14:17