--------
Following link
Creating certificate signing requests
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_csr.html
1. Start the key management utility if it is not already running.
2. Open the key database file from which you want to generate the request.
opened key.p12 located under
/usr/websphere/appserver/profiles/Apprsv01/config/cell/cellname/nodes/nodename
Key Database type : pkcs12
default password : WebAS
3. Type the password and click OK.
4. Click Create > New Certificate Request. The Create New Key and
Certificate Request window displays.
5. Type a Key Label, a Common Name, and Organization; and select a
Country. For the remaining fields, accept the default value, type a
value, or select new values. The common name must be valid in the
configured user registry for the secured WebSphere environment.
6. Type in a name for the file, such as certreq.arm.
7. Click OK to complete.
8. Optional: On UNIX-based platforms, remove the end of line
characters (^M) from the certificate signing request. To remove the
end of line characters, type the following command:
cat certreq.arm |tr -d "\r" > new_certreq.arm
9. Send the certreq.arm file to the certificate authority (CA)
following the instructions from the CA Web site for requesting a new
certificate.
PHASE 2:
--------
Once you submit the certificate signing request, wait for the CA to
accept the request. After the CA has verified your identity, it sends
back the signed certificate usually through e-mail Receive the signed
certificate back to the keystore file from which you generated the
CSR.
However before receiving the signed certificate back to the keystore..
you need to add your internal CA root or intermediate Certificate
under singer certificate of key.p12 and trust.p12
Root and Class 2 certificates.. this need to be added under singer
certificate of key.p12 and trust.p12
PHASE 3:
--------
Following link
Receiving certificate authority-signed personal certificates
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_ksrr.html
# Open the key database file from which you generated the request.
open key.p12 located under
/usr/websphere/appserver/profiles/Apprsv01/config/cell/cellname/nodes/nodename
Key Database type : pkcs12
default password : WebAS
# Type the password and click OK.
# Select Personal Certificates from the pull-down list.
# Click Receive.
# Click Data type and select the data type of the new digital
certificate, such as Base64-encoded ASCII data. Select the data type
that matches the CA-signed certificate. If the CA sends the
certificate as part of an E-mail message, you may first need to cut
and paste the certificate into a separate file.
# Type the certificate file name and location for the new digital
certificate, or click Browse to locate the CA-signed certificate.
# Click OK.
# Type a label for the new digital certificate and click OK.
Results
The personal certificate list now displays the label you just gave for
the new CA-signed certificate.
PHASE 4:
---------
Replace the default certificate with your CA certificate using Adminconsole.
1) Under adminconsole Security > SSL certificate and key management >
Key stores and certificates >NodeDefaultKeyStore > Personal
certificates
2) Select the default certificate and click Replace
3) On the next screen, you are able to choose which certificate will
replace the default certificate. Accept your new certificate.
select the Delete old certificate after replacement or Delete old signers
Accept your new certificate and any browser if it prompts.
Click oK and save the changes..
4) Under adminconsole Security > SSL certificate and key management >
Key stores and certificates >NodeDefaultKeyStore > Personal
certificates
On this screen select the default certificate and click Delete. Click
OK and Save the changes.
5) Copy this existing key.p12 and trust.p12
for example
From
usr/websphere/appserver/profiles/Apprsv01/config/cell/cellname/nodes/nodename
To
usr/websphere/appserver/profiles/Apprsv01/etc
6) Start the application server
TESTING
--------
How to test application on Websphere and to make sure it using new certificate:
Using IE Access the adminconsole or your application using https port
for example
https://appserver:9043/ibm/console ( for adminconsole example)
https://Appserver:9044/App ( for application example)
you will see the certificate in the browser and make sure it is your CA cert..
If so then Websphere is using your CA cert
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.