When installing Lotus Connections one of the tasks is to make a secure trust
between the WebSphere server and the IHS server. To do this you have to
configure SSL in such a way that the signer of the SSL certificate of the
WebSphere server is known by the IHS server.
You have to export the signer of the SSL cert of the WebSphere server and
then import this into the plugin-key.kdb file of the IHS server (WASplugin).
The SSL signer of the WebSphere server is standard valid for one year, after
the SSL cert experies the SSL connection will break. In case when using
Connections if this happens you will see a 500 error instead or your
To prevent this you can monitor the expiration date of the SSL cert of the
WebSphere server. To do this login to the WAS admin console of the
Goto : SSL certificate and key management -> Manage certificate expiration
Disable these two options standing below, my experience is that this isn’t workiing
that good, and maybe I just want to control everything myself 🙂
Automatically replace expiring self-signed certificates
Delete expiring certificates and signers after replacement
SSL certificate and key management > Manage certificate expiration > Notifications > MessageLog
E-mail sent to notification list
Configure a mail address to sent the notification to and a SMTP server to use.
If this all is configured you will receive a mail every number of days that you have
configured in Expiration notification threshold attribute on the previous page.
For this to take effect you don’t have to restart the WebSphere server.
If it is time to renew you WebSphere cert you could do it this way.
Shutdown the WebSphere server
Startup the ikeyman utility on the WebSphere server
/opt/IBM/WebSphere/AppServer/bin # ./ikeyman.sh
Open the key.p12 SSL file remove the one with the label of default under Personal
certificates, and create an new Self Signed Certificate with the same label of default.
Then choose the Extract certificate button, and save it as an ARM file. Then you can
choose to import it into the trust.p12 yourself or let WebSphere take care of this.
When you start WebSphere it will automaticaly see that the cert in
the key.p12 is not in the Signer Certificates list of the trust.p12 file and will add it self.
As a last step you have to import the exported ARM file into the Signer Certificates
list of the plugin-key.kdb SSL kdb file. Just grep your ikeyman and get it done, do
a restart of the IHS server for the changes to take affect directly and you are save again.
ps. Currently doing some work with Sametime Gateway 8.0.2 and the Hotfix 1 for OCS
integration. Sametime Gateway then requires WAS fixpack 18.104.22.168, looks like they
changed the expiration dates from one year to fifteen years.