Configuring SSL for WebSphere and IBM Http Server, part-4 : Dmgr and Nodes

It is always good to spend some time on thinking how to do instead of start doing it and then thinking what to do. Also it is always advisable to draw picture to understand complex things in simple way.

Now Observe the below picture of WebSphere setup having one Web Server, one DMGR and 2 nodes. Write down all the possible communications among them. Also include a browser and its communication with DMGR.

1. Browser to DMGR
2. DMGR to Nodes
3. Web Server to Application Servers… Through plug-in

Thats it, now we know where all we can configure SSL and secure our WebSphere environments.

Note:

• Take back up of configuration using backupconfig
• In a secure communication both end points need to exchange their certificates to establish the secure link.
• Stop all process related to websphere

 

1. DMGR certificate

Start Deployment Manager [DMGR]

Replace DMGR certificate

• In the Administrative Console, go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate. Enter the required attributes.
•  

• Click OK and Save the changes
• Go back to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
• Select the old DMGR certificate and click Replace.
• On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
• On the next screen, select the old certificate and click Delete. Click OK and Save the changes.

Now you have your DMGR certificate replaced

As i pointed earlier, the certs needs to be exchanged for establishing secure communication. So add the DMGR cert to DefaultCellTrustStore

• Go to SSL certificate and key management > Key stores and certificates.
• Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
• 

• Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add.
• 

• Click OK and Save the changes.

2. Node Certificates

• Go to Security > SSL certificate and key management > Manage endpoint security configurations.
• Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
• Click the Manage certificates button.
• 

• Click Create a self-signed certificate and Enter the required attributes.
• Click OK and Save the changes
• Go back to Security > SSL certificate and key management > Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null), click Manage certificates.
• Select the old certificate and click Replace.
• On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers.
• On the next screen, select the old certificate and click Delete. Click OK and save the changes.

Now Exchange the Node Signer cert with DefaultCellTrustStore

• Go to Security > SSL certificate and key management > Manage endpoint security configurations.
• Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates.
• Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
• 

• Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
• 

• Click OK and Save the changes.

Delete the old signer certificates and extract the new ones.

• Go to SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
• Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
• Select one of the new certificates. Click Extract.
• Enter a File Name that corresponds to the certificate. For example, node1.arm. Click Ok.
• for each of the new certificates making sure you have done this for the cell signer and all of the node signers. These files are saved to the profile_root/Dmgr/etc directory

Manually copy the trust store to each of the /etc directories.

• Backup the trust.p12 in profile_rootDmgretc
• Copy the profile_rootDmgrconfigcellscell-nametrust.p12 to profile_rootDmgretc
• Backup the trust.p12 on each of the nodes profile_rootAppsrvetc directories.
• Copy the profile_rootDmgrconfigcellscell-nametrust.p12 to profile_rootAppsrvetc

Note: If you have multiple nodes… You need to do the Node Certificate section for all nodes separately.

Now, Restart the DMGR and sync the nodes using ‘syncnode’ command. Then start Node Agents and Application Servers.

3. Plug-in

• Go to Servers > Web servers. Click webserver_name, then under Additional Properties click Plug-in properties.
• Click Manage keys and certificates under Additional Properties, click Signer certificates and then click AddEnter a unique Alias Name and then specify the File Name that you exported as .arm file
• 

• Repeat this for each of the new certificates making sure you have done this for the cell signer and all of the node signers.
• Manually copy the plugin-key.kdb from the local configuration to the Web server. [ default locations: profile_rootDmgrconfigcellscell-namenodesnode-nameserversweb-server-nameplugin-key.kdb to Web-server-rootPluginsconfigweb-server-nameplugin-key.kdb]
• Start the Web server

Note: If you have multiple web servers … you need to do the above steps for each web server separately

The steps and procedure are from IBM Websphere Infocenter and document Reference #: 1305596