Configure CA and Self-Signed Certificates in Liberty or IHS for ELM Applications 7.0.3
Authors: ShradhaSrivastav Build basis: ELM 7.0.3
Page contents
- Understanding SSL Certificates
- keytool command
- Create a new keystore with self-signed Certificate (Optional, if existing keystore is not used)
- Encrypt the password for the new key store (Optional, only if new keystore is created)
- Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created)
- To Configure A CA Certificate
- Using IKEYCMD CLI
ELM 703 is shipped with Java 11 which no longer ship Ikeyman utility to manage certificate and keystore using GUI.
This article will share sample commands that can be used in place of ikeyman to create or generate new keystore and manage CA certificates.
In order to resolve these errors, you can:
Generate certificate Request
Note:- The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate pair. After importing all three certificates you should see : "Certificate reply was installed in keystore" message.
Understanding SSL Certificates
All applications which run on HTTPS via the web require a Security Certificate, or Public Key Certificate. This is used to validate that the data is coming from a trusted source. The security certificate bundled with the Jazz Team Server and ELM applications is signed to localhost. As soon as the application is accessed with a URL other than localhost (for example, hostname or IP address), the browser will present the following errors:- The security certificate presented by this website was not issued by a trusted certificate authority.
- The security certificate presented by this website was issued for a different website's address.
- The security certificate was self-signed, meaning that the server being accessed created the certificate, and
- The security certificate was created for localhost, and you are accessing the server using a different hostname, IP address or the appropriate Public URI.
In order to resolve these errors, you can:
- Purchase a certificate from a well-known trusted Certificate Authority and install it.
- If you do not need encryption, configure the server for HTTP rather than HTTPS access.
- Configure the browser to ignore or accept this invalid certificate
keytool command
Create a new keystore with self-signed Certificate (Optional, if existing keystore is not used)
Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on.keytool -genkey -alias default -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650
Encrypt the password for the new key store (Optional, only if new keystore is created)
https://www.ibm.com/support/pages/how-encrypt-passwords-elm-configuration-files
Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created)
- Update server.xml located at JazzTeamServer\server\liberty\servers\clm to point to new database file, type and password
- If type Selected while creating keystore is pk12 Type will be PKCS12, for jks Type will be JKCS
- Restart the server for changes to take effect
To Configure A CA Certificate
Generate certificate Request
keytool –keystore keystore.p12 –certreq –alias default –keyalg RSA –file certreq.csr -storepass 123456
Send the certificate request generated to CA authority
Import/Receive Certificate and Add it to Keystore
- After the certificate is received from the authority we need to import these certificates into the keystore
- Import the Intermediate certificate first --> then the root certificate --> and then the signed or CA certificate
keytool -import -alias inter -file intermediate.cer -keystore keystore.p12 -storepass 123456 keytool -import -alias root -file root.cer -keystore ikeystore.p12 -storepass 123456 keytool -import -alias default -file signedcert.cer -keystore keystore.p12 -storepass 123456
Note:- The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate pair. After importing all three certificates you should see : "Certificate reply was installed in keystore" message.
Using IKEYCMD CLI
As IBM HTTP Server (IHS) still bundles Java 8, you can use ikeyman(GUI) or gskcmd (also known as iKeycmd) to manage certificate and keystores. For more please refer to ConfigureCACertificatesRelated topics: Deployment web home, Keytool Guide
External links:
Additional contributors: ShradhaSrivastav
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.