Configuring SSL for WebSphere and IBM Http Server, part-4 : Dmgr and Nodes


It is always good to spend some time on thinking how to do instead of start doing it and then thinking what to do. Also it is always advisable to draw picture to understand complex things in simple way.

Now Observe the below picture of WebSphere setup having one Web Server, one DMGR and 2 nodes. Write down all the possible communications among them. Also include a browser and its communication with DMGR.

  1. Browser to DMGR
  2. DMGR to Nodes
  3. Web Server to Application Servers… Through plug-in

Thats it, now we know where all we can configure SSL and secure our WebSphere environments.

Note:

  • Take back up of configuration using backupconfig
  • In a secure communication both end points need to exchange their certificates to establish the secure link.
  • Stop all process related to websphere

WEBSPHERE-SSL-2

 

1. DMGR certificate

Start Deployment Manager [DMGR]

Replace DMGR certificate

  • In the Administrative Console, go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate. Enter the required attributes.
  • image 

  • Click OK and Save the changes
  • Go back to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
  • Select the old DMGR certificate and click Replace.
  • On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
  • On the next screen, select the old certificate and click Delete. Click OK and Save the changes.

Now you have your DMGR certificate replaced

As i pointed earlier, the certs needs to be exchanged for establishing secure communication. So add the DMGR cert to DefaultCellTrustStore

  • Go to SSL certificate and key management > Key stores and certificates.
  • Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
  • image

  • Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add.
  • image

  • Click OK and Save the changes.

2. Node Certificates

  • Go to Security > SSL certificate and key management > Manage endpoint security configurations.
  • Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
  • Click the Manage certificates button.
  • image

  • Click Create a self-signed certificate and Enter the required attributes.
  • Click OK and Save the changes
  • Go back to Security > SSL certificate and key management > Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null), click Manage certificates.
  • Select the old certificate and click Replace.
  • On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers.
  • On the next screen, select the old certificate and click Delete. Click OK and save the changes.

Now Exchange the Node Signer cert with DefaultCellTrustStore

  • Go to Security > SSL certificate and key management > Manage endpoint security configurations.
  • Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates.
  • Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
  • image

  • Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
  • image

  • Click OK and Save the changes.

Delete the old signer certificates and extract the new ones.

  • Go to SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
  • Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
  • Select one of the new certificates. Click Extract.
  • Enter a File Name that corresponds to the certificate. For example, node1.arm. Click Ok.
  • for each of the new certificates making sure you have done this for the cell signer and all of the node signers. These files are saved to the profile_root/Dmgr/etc directory

Manually copy the trust store to each of the /etc directories.

  • Backup the trust.p12 in profile_root\Dmgr\etc
  • Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Dmgr\etc
  • Backup the trust.p12 on each of the nodes profile_root\Appsrv\etc directories.
  • Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Appsrv\etc

Note: If you have multiple nodes… You need to do the Node Certificate section for all nodes separately.

Now, Restart the DMGR and sync the nodes using ‘syncnode’ command. Then start Node Agents and Application Servers.

3. Plug-in

  • Go to Servers > Web servers. Click webserver_name, then under Additional Properties click Plug-in properties.
  • Click Manage keys and certificates under Additional Properties, click Signer certificates and then click AddEnter a unique Alias Name and then specify the File Name that you exported as .arm file
  • image

  • Repeat this for each of the new certificates making sure you have done this for the cell signer and all of the node signers.
  • Manually copy the plugin-key.kdb from the local configuration to the Web server. [ default locations: profile_root\Dmgr\config\cells\cell-name\nodes\node-name\servers\web-server-name\plugin-key.kdb to Web-server-root\Plugins\config\web-server-name\plugin-key.kdb]
  • Start the Web server

Note: If you have multiple web servers … you need to do the above steps for each web server separately

The steps and procedure are from IBM Websphere Infocenter and document Reference #: 1305596

Advertisements

4 thoughts on “Configuring SSL for WebSphere and IBM Http Server, part-4 : Dmgr and Nodes

  1. S Mohammed Fazil says:

    hi sir, I need a resolution for my ssl creation.. I have UAT environment with 1AppSrv01 federated with Dmgr profile. Here Iam creating an ssl configuration.. I went to httpserver bin folder – executed ikeyman and created a certificate, and I found there is a folder called ssl is created under httpserver folder which contain three files kdb , rdb, sth files. now I have edited the following lines in httpd.conf

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443
    ## IPv6 support:
    #Listen [::]:443

    #SSLEnable
    #SSLProtocolDisable SSLv2
    ServerName sysarc-cal30
    DocumentRoot “G:\programfiles\IBM\HTTPServer\htdocs”
    SSLEnable
    Keyfile “G:/programfiles/IBM/HTTPServer/SSL/ihskeyring.kdb”

    #SSLDisable
    # End of example SSL configuration

    After creating ssl ,went to webserver1-> plugin-properties ->> ikeymankdb file has copied to webserver keystores from the console

    restarted webserver – didn’t worked… pls let me know how to resolve..
    I have also added ip address and host name of the computer in c:\windows\system32\drivers\etc\host

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s