In WebSphere you have a SSL certification expiration checker. This
mechanism monitors the expiration dates of all the SSL certificates
that are configured in WebSphere.
You can control how many days before the cert. expires WebSphere will
send a notification mail and in what frequency the check has to be performed.
Notification per mail need to be configured with a SMTP server an a recipient
You also have the options “Automatically replace expiring self-signed certificates”
and “Delete expiring certificates and signers after replacement“.
But in a Connections setup these two options will not take away any manual
work. If you got a Connections config with a IHS webserver in front you will always
have to export the new SSL key and import it into the plugin-cfg.kdb file
of the WAS-plugin on the IHS webserver. If you don’t do this the connection
between WebSphere and the IHS webserver will not work any longer.
Clients will be faced with 500 error pages when they want to visit Connections.
All things written above work perfectly, the only thing that doesn’t function the
way you want it is the sending of the notification mails.
The mails will be sent either the certification expires or not. With a notification
treshhold of 30 days and a Connections setup will multiple JVM servers
you will receive 11 mails of certifcates that aren’t about to expire every
30 days :-).
Described behavior has been noted and is fixed in WAS version 220.127.116.11.
Check the technote.
If you don’t want to do a install a complete new fixpack we also got
our hands on the ifix. Which will not have that much impact on your
WAS install as a complete new Fixpack.
We now just renew the certs. of WebSphere to somewhere in the end
of 2020 and disable the SSL certificate check. This to get rid of installing
a fixpack or ifix for every LC installation and keeping this up to date.
The default expiration date for WebSphere it’s own SSL certificate
is one year, but my experience is that this can vary with every fixpack