Recreating the root CA for WebSphere Application Server 7.0 on the deployment manager before creating member nodes

The WebSphere® Application Server root CA has a default 1024 bit key size. Change the root CA key size to 2048 bit on the deployment manager node before you create any federated nodes. Use a 2048 bit key size to offer an increased level of security.

About this task

This task is optional. It applies only to:

• New installations of the IMS Server that must upgrade the default 1024 bit root certificate key size to 2048 bit.
• A new cluster where only the deployment manager node is created.

  Custom WebSphere Application Server profiles or member nodes of the cluster are not yet created or federated.

With this approach, you upgrade the root CA key size to a 2048 bit root certificate before you create member nodes on the cluster.

Complete this task to avoid upgrading the certificate of each node individually.

After you create the deployment manager, complete these steps. The root CA certificate signs the default certificates in the key store. The certificates are for securing internal WebSphere Application Server communications.

Figure 1. Replacing the root CA and key signers for WebSphere Application Server in the truststore with a new key size.

The process involves the following steps:

1. Replace the default 1024 bit root certificate with a new 2048 bit root certificate; then extract it. See step 1 to step 9.
2. Create a 2048 bit chained personal certificate in the key store, replace the older version, and export the personal certificate to a keystore. See step 10 to step 11.
3. Use the ikeyman utility to add the extracted root CA to the truststore. See step 12.

1. Select Start > All Programs > IBM WebSphere > Application Server <version> > Profiles > <dmgr_profile_name> > Administrative console.
2. Log on to the IBM Integrated Solutions Console.
3. On the Integrated Solutions Console navigation pane, select Security > SSL certificate and key management.
4. In Related items, click Key stores and certificates.
5. Create a temporary self-signed root CA in the default root store.

   The temporary root certificate is used to replace the older root certificate. The temporary root certificate is then replaced with a new 2048 bit root certificate.

   1. From the Keystore usages list, select Root certificates keystore.
   2. Click DmgrDefaultRootStore.
   3. Under Additional Properties, click Personal certificates.
   4. Click Create > Self-signed Certificate.
   5. In Alias, enter a new alias name. For example: root2.
   6. In the Common name field, enter the fully qualified domain name of the computer where the WebSphere Application Server is installed. For example: ibm-svr1.example.com.
   7. Click OK.
   8. Click Save.
6. Replace the old root CA with the new root CA: root2. Replace the old root with the temporary root2.
   1. In the Personal Certificates page, select the check box for the older root certificate, root.
   2. Click Replace.
   3. From the Replace with list, choose the alias of the certificate you created.
   4. Select Delete old certificate after replacement.
      Important: Be sure that the Delete old signer check box is not selected.

      See the WebSphere Application Server information center on replacing a certificate for details:

      http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_sslreplaceselfsigncert.html

   5. Click OK.
   6. Click Save to apply the changes to the master configuration.
7. Create the 2048 bit root CA. This root certificate is the 2048 bit certificate that you retain.
   1. Click Create > Self-signed Certificate.
   2. In Alias, enter root.
      Important: You must specify the alias name as root for this 2048 bit certificate.
   3. From the Key size list, select 2048.
   4. In the Common name field, enter the fully qualified domain name of the computer where the WebSphere Application Server is installed. For example: ibm-svr1.example.com.
   5. In the Validity period field, enter the validity period of the certificate. For example: A root certificate is typically used for 7300 days, which is approximately 20 years.
   6. Optional: Complete the certificate with optional identification details.
   7. Click OK.
   8. Click Save.
8. Replace the temporary root certificate with the new 2048 bit root that you retain.
   1. In the Personal Certificates page, select the check box for the temporary root certificate: root2.
   2. Click Replace.
   3. From the Replace with list, choose the new 2048 root certificate you created: root.
   4. Select Delete old certificate after replacement.
   5. Ensure that the Delete old signer check box is not selected.
      Important: Be sure that the Delete old signer check box is not selected.
   6. Click OK.
   7. Click Save to apply the changes to the master configuration.
   You successfully replaced the original 1024 bit root certificate with a new 2048 bit root certificate.
9. Extract the new root CA to a file.
   1. In the Personal Certificates page, select Root.
   2. Click Extract.
   3. In Certificate file name, enter the fully qualified path to the certificate to be extracted. For example: C:\root2048.cer
   4. Verify Data type is Base64-encoded ASCII data
   5. Click OK.
10. Create a chained personal certificate in the default cell keystore: CellDefaultKeystore.
    1. In the Key stores and certificates page, click CellDefaultKeyStore.
    2. In Additional Properties, click Personal certificates.
    3. Click the default certificate. The distinguished name for the default certificate in the CellDefaultKeystore must be in the following form: CN=<CN>,OU=<OU>,O=<Organization>,C=<Country> For example: CN=ibmsvr1.example.com, OU=Root Certificate, OU=ibmsvr1Cell01, OU=ibmsvr1CellManager01, O=IBM, C=US .
    4. Click Back.
    5. Click Create > Chained certificate.
    6. In the Alias field, enter a new personal certificate alias. For example: default2.
    7. In the Root certificate used to sign the certificate field, select the alias root. This root certificate is the new 2048 bit root certificate.
    8. In the Key size field, select 2048.
    9. In the Common name field, enter the fully qualified domain name of the computer where the WebSphere Application Server is installed.
    10. In the Validity period field, enter the validity period of the certificate. For example: a typical default value for a personal certificate is 365 days.
    11. Required: In the Organization field, specify the organization portion of the distinguished name.
        Important: It is important that you specify the organization portion of the distinguished name.
    12. Required: In the Country or region field, specify the country portion of the distinguished name.
        Important: It is important that you specify the country portion of the distinguished name.
    13. Optional: Enter additional certificate identification information in the optional fields.
    14. Click OK.
    15. Click Save to apply the changes to the master configuration.
    16. Replace the old default personal certificate with the new one.
        1. In the Personal Certificates page, select the default check box.
        2. Click Replace.
        3. From the Replace with list, choose the alias of the certificate you created. For example: default2.
        4. Select Delete old certificate after replacement.
        5. Ensure that the Delete old signer check box is not selected.
           Important: Be sure that the Delete old signer check box is not selected.
        6. Click OK.
        7. Click Save to apply changes to the master configuration.
           Note: If the web browser alerts you that a certificate is revoked and a new certificate is available, click Yes to proceed. Follow instructions on the screen to accept any additional security prompts of the new security certificate.
11. Export the personal certificate to the keystore: For example: <was_home>\profiles\<dmgr_profile_name>\etc\key.p12.
    1. In the Personal Certificates page, select the personal certificate check box. For example, default2.
    2. Click Export.
    3. In Key store password, enter the key store password For example: WebAS.
       Note: The default key store password is documented in the WebSphere Application Server information center.
    4. Select Key store file.
    5. In Key store file, specify the key store location. For example: <was_home>\profiles\<dmgr_profile_name>\etc\key.p12
    6. For Type, verify that the default PKCS12 is selected.
    7. In Key file password, type the password. For example: WebAS.
    8. Click OK.
    You successfully exported the personal certificate and private key to a keystore.
12. Use the IBM® Key Management utility, ikeyman, to add the extracted root CA to the deployment manager truststore.
    1. Start the ikeyman utility.

       You can locate the utility in the following location, for example: <was_home>\profiles\<dmgr_profile>\bin\ikeyman.bat

    2. Click Key Database File > Open.
    3. In Key database type, select PKCS12.
    4. Click Browse to locate the truststore. You can locate the truststore in <was_home>\profiles\<Dmgr_profile>\etc\trust.p12.
    5. Type the truststore password. For example: WebAS
    6. Add the root CA you extracted to the truststore.
       1. In Key database content area, select Signer Certificates.
       2. Click Add.
       3. Specify the location of the extracted root CA. For example: C:\root2048.cer
       4. Specify a label for the extracted root CA in the truststore. For example: root2048_signer
    The root CA is saved and added to the truststore.
13. Verify that the certificates are upgraded.
    1. Log out of the administrator console and try logging in again.
    2. When you see the security prompt in the web browser, view the certificate details.
    3. Verify that the key size of the reissued certificate is 2048 bits.
14. Restart the deployment manager.