SSL certificates WebSphere and their expiration dates

When installing Lotus Connections one of the tasks is to make a secure trust
between the WebSphere server and the IHS server. To do this you have to
configure SSL in such a way that the signer of the SSL certificate of the
WebSphere server is known by the IHS server.

You have to export the signer of the SSL cert of the WebSphere server and
then import this into the plugin-key.kdb file of the IHS server (WASplugin).

The SSL signer of the WebSphere server is standard valid for one year, after
the SSL cert experies the SSL connection will break. In case when using
Connections if this happens you will see a 500 error instead or your
Connections pages.

To prevent this you can monitor the expiration date of the SSL cert of the
WebSphere server. To do this login to the WAS admin console of the
Connection server.

Goto : SSL certificate and key management -> Manage certificate expiration

Disable these two options standing below, my experience is that this isn’t workiing
that good, and maybe I just want to control everything myself 🙂

Automatically replace expiring self-signed certificates
Delete expiring certificates and signers after replacement

Then goto

SSL certificate and key management > Manage certificate expiration > Notifications > MessageLog


E-mail sent to notification list

Configure a mail address to sent the notification to and a SMTP server to use.

If this all is configured you will receive a mail every number of days that you have
configured in Expiration notification threshold attribute on the previous page.

For this to take effect you don’t have to restart the WebSphere server.

If it is time to renew you WebSphere cert you could do it this way.

Shutdown the WebSphere server

Startup the ikeyman utility on the WebSphere server
/opt/IBM/WebSphere/AppServer/bin # ./

Open the key.p12 SSL file remove the one with the label of default under Personal
certificates, and create an new Self Signed Certificate with the same label of default.

Then choose the Extract certificate button, and save it as an ARM file. Then you can
choose to import it into the trust.p12 yourself or let WebSphere take care of this.
When you start WebSphere it will automaticaly see that the cert in
the key.p12 is not in the Signer Certificates list of the trust.p12 file and will add it self.

As a last step you have to import the exported ARM file into the Signer Certificates
list of the plugin-key.kdb SSL kdb file. Just grep your ikeyman and get it done, do
a restart of the IHS server for the changes to take affect directly and you are save again.

ps. Currently doing some work with Sametime Gateway 8.0.2 and the Hotfix 1 for OCS
integration. Sametime Gateway then requires WAS fixpack, looks like they
changed the expiration dates from one year to fifteen years.

More info

IBM WebSphere Developer Technical Journal: SSL, certificate, and key management enhancements for even stronger security in WebSphere Application Server V6.1

This entry was posted in lotus connections and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 897,925 bad guys.