The WebSphere® Application
Server root CA has a default 1024 bit key size. Change the root CA
key size to 2048 bit on the deployment manager node before you create
any federated nodes. Use a 2048 bit key size to offer an increased
level of security.
About this task
This task is optional. It applies only to:
With
this approach, you upgrade the root CA key size to a 2048 bit root certificate
before you create member nodes on the cluster.
Complete
this task to avoid upgrading the certificate of each node individually.
After
you create the deployment manager, complete these steps. The root
CA certificate signs the default certificates in the key store. The
certificates are for securing internal WebSphere Application Server communications.
Figure 1. Replacing the root CA and key signers for WebSphere Application Server
in the truststore with a new key size.
The process involves the following steps:
- Replace the default 1024 bit root certificate
with a new 2048 bit root certificate; then
extract it. See step 1 to
step 9.
- Create a 2048 bit chained personal certificate in the key store,
replace the older version, and export the personal certificate to
a keystore. See step 10 to
step 11.
- Use the ikeyman utility to add the extracted
root CA to the truststore. See step 12.
Procedure
- Select .
- Log on to the IBM Integrated Solutions Console.
- On the Integrated Solutions Console navigation
pane, select .
- In Related items, click Key
stores and certificates.
- Create a temporary self-signed root
CA in the default root store.
The temporary root certificate
is used to replace the older root certificate.
The temporary root certificate is then replaced with a new 2048 bit
root certificate.
- From the Keystore usages list,
select Root certificates keystore.
- Click DmgrDefaultRootStore.
- Under Additional Properties,
click Personal certificates.
- Click .
- In Alias, enter a new alias name.
For example: root2.
- In the Common name field, enter
the fully qualified domain name of the computer where the WebSphere Application Server
is installed. For example: ibm-svr1.example.com.
- Click OK.
- Click Save.
- Replace the old root CA with the new
root CA: root2. Replace the old root with
the temporary root2.
- In the Personal Certificates page,
select the check box for the older root certificate, root.
- Click Replace.
- From the Replace with list, choose
the alias of the certificate you created.
- Select Delete old certificate after replacement.
Important: Be sure that the Delete old
signer check box is not selected.
See the WebSphere Application Server
information center on replacing a certificate for details:
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_sslreplaceselfsigncert.html
- Click OK.
- Click Save to apply the changes
to the master configuration.
- Create the 2048 bit root CA. This
root certificate is the 2048 bit certificate that you retain.
- Click .
- In Alias, enter root.
Important: You must specify the alias name as root for
this 2048 bit certificate.
- From the Key size list, select 2048.
- In the Common name field, enter
the fully qualified domain name of the computer where the WebSphere Application Server
is installed. For example: ibm-svr1.example.com.
- In the Validity period field,
enter the validity period of the certificate. For example:
A root certificate is typically used for 7300 days,
which is approximately 20 years.
- Optional: Complete the certificate with
optional identification details.
- Click OK.
- Click Save.
- Replace the temporary root certificate
with the new 2048 bit root that you retain.
- In the Personal Certificates page,
select the check box for the temporary root certificate: root2.
- Click Replace.
- From the Replace with list, choose
the new 2048 root certificate you created: root.
- Select Delete old certificate after replacement.
- Ensure that the Delete old signer check
box is not selected.
Important: Be sure that
the Delete old signer check box is not selected.
- Click OK.
- Click Save to apply the changes
to the master configuration.
You successfully replaced the original 1024 bit root certificate
with a new 2048 bit root certificate.
- Extract the new root CA to a file.
- In the Personal Certificates page,
select Root.
- Click Extract.
- In Certificate file name, enter
the fully qualified path to the certificate to be extracted. For example: C:\root2048.cer
- Verify Data type is Base64-encoded
ASCII data
- Click OK.
- Create a chained personal certificate
in the default cell keystore: CellDefaultKeystore.
- In the Key stores and certificates page,
click CellDefaultKeyStore.
- In Additional Properties, click Personal
certificates.
- Click the default certificate. The distinguished name for the default certificate in the CellDefaultKeystore must
be in the following form: CN=<CN>,OU=<OU>,O=<Organization>,C=<Country> For example: CN=ibmsvr1.example.com, OU=Root Certificate,
OU=ibmsvr1Cell01, OU=ibmsvr1CellManager01, O=IBM, C=US .
- Click Back.
- Click .
- In the Alias field, enter a new
personal certificate alias. For example: default2.
- In the Root certificate used to sign the
certificate field, select the alias root. This root certificate is the new 2048 bit root certificate.
- In the Key size field, select 2048.
- In the Common name field, enter
the fully qualified domain name of the computer where the WebSphere Application Server
is installed.
- In the Validity period field,
enter the validity period of the certificate. For example:
a typical default value for a personal certificate is 365 days.
- Required: In the Organization field,
specify the organization portion of the distinguished name.
Important: It is important that you specify the organization
portion of the distinguished name.
- Required: In the Country
or region field, specify the country portion of the distinguished
name.
Important: It is important that you specify
the country portion of the distinguished name.
- Optional: Enter additional certificate identification
information in the optional fields.
- Click OK.
- Click Save to apply the changes
to the master configuration.
- Replace the old default personal certificate with the
new one.
- In the Personal Certificates page, select
the default check box.
- Click Replace.
- From the Replace with list, choose the
alias of the certificate you created. For example: default2.
- Select Delete old certificate after replacement.
- Ensure that the Delete old signer check
box is not selected.
Important: Be sure that the Delete
old signer check box is not selected.
- Click OK.
- Click Save to apply changes to the master
configuration.
Note: If the web browser alerts you that a certificate
is revoked and a new certificate is available, click Yes to
proceed. Follow instructions on the screen to accept any additional
security prompts of the new security certificate.
- Export the personal certificate to
the keystore: For example: <was_home>\profiles\<dmgr_profile_name>\etc\key.p12.
- In the Personal Certificates page,
select the personal certificate check box. For example, default2.
- Click Export.
- In Key store password, enter
the key store password For example: WebAS.
Note: The default key store password is documented in the WebSphere Application Server
information center.
- Select Key store file.
- In Key store file, specify the
key store location. For example: <was_home>\profiles\<dmgr_profile_name>\etc\key.p12
- For Type, verify that the default PKCS12 is
selected.
- In Key file password, type the
password. For example: WebAS.
- Click OK.
You successfully exported the personal certificate and
private key to a keystore.
- Use the IBM® Key
Management utility, ikeyman, to add the extracted
root CA to the deployment manager truststore.
- Start the ikeyman utility.
You can locate the utility in the following location, for
example: <was_home>\profiles\<dmgr_profile>\bin\ikeyman.bat
- Click .
- In Key database type, select PKCS12.
- Click Browse to locate the truststore.
You can locate the truststore in <was_home>\profiles\<Dmgr_profile>\etc\trust.p12.
- Type the truststore password. For example: WebAS
- Add the root CA you extracted to the truststore.
- In Key database content area, select Signer
Certificates.
- Click Add.
- Specify the location of the extracted root CA. For example: C:\root2048.cer
- Specify a label for the extracted root CA in the truststore. For
example: root2048_signer
The root CA is saved and added to the truststore.
- Verify that the certificates are upgraded.
- Log out of the administrator console and try logging
in again.
- When you see the security prompt in the web browser,
view the certificate details.
- Verify that the key size of the reissued certificate
is 2048 bits.
- Restart the deployment manager.
Results
You successfully upgraded the key size for the root CA and
personal certificates to 2048 bit.
What to do next
Continue
with the process of creating custom profiles for the rest of the member
nodes of a cluster in WebSphere Application
Server. See Creating and choosing profiles for network deployments.
You can update the Planning worksheet with
the aliases you used for the root and default certificate aliases.
You must specify the aliases in the IMS Configuration Wizard.