WebSphere plugin-key.kdb password to expire on April 26, 2012 : Steps to verify & rectify

The WebSphere Plugin comes with a plugin-key.kdb file upon installation  The password of WebAS is set to expire by April 26, 2012 US EDT.  If you have not generated a key file for the WebSphere plug-in you will run into this expiration. Web traffic via the web server and plugin will no longer function.  Most customers don’t use this keyfile, rather after configuring the plugin to a web server, they will generate a new keyfile and have it propagate to the web server location.

Important Notes
  • This applies to IBM http server Plugin and when you use the default plugin kdb file which came while installing websphere.
  • Checking the expiry through GUI is time taking and needs access to iKeyman utility. So, i am writing procedure to verify from commandline.
  • No restart is required for this task
  • The KDB file or Plugin configuration will be reloaded when web server restarts or a new plugin configuration is propagated from application server.
  • If the password is not change before 26th April 2012, then plugin initialization will fail when you restart web server. And also you will not be able to propagate new plugin configuration from websphere application server.
1) First determine the location of your plugin installation [Default : IHS_installation/Plugins]
2) Next find out the location of the web server definition [default : IHS_installation/Plugins/config/webserver_definition]
3) Now make sure that you have GSKit installed on that machine [ls -l /bin/gsk7capicmd]
4) Find out the Plugin KDB file passowrd expiry using the below command : /bin/gsk7capicmd -keydb -expiry -db “IHS_installation/Plugins/config/webserver_definition/plugin-key.kdb” -pw *****
  • If it returns Validity ‘0’ … means the password doesn’t expire. You can stop here.
  • If it returns the date like “26 April 2012”, then you need to change the password.
5) If the password is expiring… use the following command to reset the passowrd validity
  • backup the existing stath file [plugin-key.sth]
  • Change password /bin/gsk7capicmd -keydb -changepw -pw old_pass -new_pw new_pass -stash -db IHS_installation/Plugins/config/webserver_definition/plugin-key.kdb
  • change the password back to the original passowrd. [not necessary but good to change to it back]
  • verify the expiry date now : /bin/gsk7capicmd -keydb -expiry -db “IHS_installation/Plugins/config/webserver_definition/plugin-key.kdb” -pw *****
6) Please note that, it is recommended to change the passowrd for the template KDB file as well. This can be found under IHS_installation/Plugins/etc directory. The default password is “WebAS” for this file.
  • Check the expiry [/bin/gsk7capicmd -keydb -expiry -db “IHS_installation/Plugins/etc/plugin-key.kdb” -pw *****]
  • Change password, if required [/bin/gsk7capicmd -keydb -changepw -pw old_pass -new_pw new_pass -stash -db IHS_installation/Plugins/etc/plugin-key.kdb ]
  • Change the password back to default password [/bin/gsk7capicmd -keydb -changepw -pw old_pass -new_pw new_pass -stash -db IHS_installation/Plugins/etc/plugin-key.kdb ]
  • Verify validity again [/bin/gsk7capicmd -keydb -expiry -db “IHS_installation/Plugins/etc/plugin-key.kdb” -pw *****]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s