Update the Default SSL Certificate for IBM WAS

How to update/replace the default SSL certificate for WebSphere Application Server. We will have a look at topics like: Location of certificate, Certificate keystores, Programmatically import,replace or delete certificate using the WAS Admin commands.



Note: Websphere Application Server certificate (personal certificate) is different for different nodes in a WAS cluster. 

Note: Though the ppt mentions WAS 6.1, it works for WAS 7.x and 8.x too..

Below are some commands used to manage the SSL certificate for WAS programmatically. In the below commands, in order to import/replace a certificate you need to provide a keystore containing the new/updated certificate.


Import Certificate:
AdminTask.importCertificate('[-keyFilePath ' + keyFilePath + ' -keyFilePassword ' + keyFilePassword + ' -keyFileType ' + keyFileType + ' -certificateAliasFromKeyFile \'' + certificateAliasFromKeyFile + '\' -certificateAlias ' + certificateAlias + ' -keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' ]')
AdminConfig.save()

Replace Certificate:
AdminTask.replaceCertificate('[-certificateAlias ' + certificateAlias + ' -replacementCertificateAlias ' + replacementCertificateAlias + ' -deleteOldCert true -deleteOldSigners false -keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' ]')
AdminConfig.save()

Delete Certificate:
AdminTask.deleteCertificate('[-keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' -certificateAlias ' + removeCertAlias + ' ]')
AdminConfig.save()

Get Signer Certificate:
AdminTask.retrieveSignerFromPort('[-keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' -host ' + host + ' -port ' + port + ' -certificateAlias ' + certificateAlias + ' -sslConfigName ' + sslConfigName + ' -sslConfigScopeName ' + sslConfigScopeName + ' ]')
AdminConfig.save()

Sync All Nodes:
AdminNodeManagement.syncActiveNodes()

All above commands can be executed via the WAS scripting command:
wsadmin.sh -lang jython -username admin -password admin -f<filecontaining the above commands>

Link to request a production like SSL certificate for test purpose:
https://trustcenter.websecurity.symantec.com/process/retail/trial_product_selector

0 comments:

Post a Comment

+