Configure CA and Self-Signed Certificates in Liberty or IHS for ELM Applications 7.0.3 uc.png

Authors: ShradhaSrivastav
Build basis: ELM 7.0.3

ELM 703 is shipped with Java 11 which no longer ship Ikeyman utility to manage certificate and keystore using GUI.

This article will share sample commands that can be used in place of ikeyman to create or generate new keystore and manage CA certificates.

Understanding SSL Certificates

All applications which run on HTTPS via the web require a Security Certificate, or Public Key Certificate. This is used to validate that the data is coming from a trusted source. The security certificate bundled with the Jazz Team Server and ELM applications is signed to localhost. As soon as the application is accessed with a URL other than localhost (for example, hostname or IP address), the browser will present the following errors:

  • The security certificate presented by this website was not issued by a trusted certificate authority.
  • The security certificate presented by this website was issued for a different website's address.
These errors occur because:
  • The security certificate was self-signed, meaning that the server being accessed created the certificate, and
  • The security certificate was created for localhost, and you are accessing the server using a different hostname, IP address or the appropriate Public URI.

In order to resolve these errors, you can:
  • Purchase a certificate from a well-known trusted Certificate Authority and install it.
  • If you do not need encryption, configure the server for HTTP rather than HTTPS access.
  • Configure the browser to ignore or accept this invalid certificate

In this article we will provide a guide on how to configure CA Certificate purchased from well-known Authority or internal CA certificate.

keytool command

Create a new keystore with self-signed Certificate (Optional, if existing keystore is not used)

Open a command prompt in the same directory as Java keytool; alternatively, you may specify the full path of keytool in your command. Pay close attention to the alias you specify in this command as it will be needed later on.

keytool -genkey -alias default -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650 -dname CN=elm7031,DC=fyre,DC=ibm,DC=com

1.png

Encrypt the password for the new key store (Optional, only if new keystore is created)

https://www.ibm.com/support/pages/how-encrypt-passwords-elm-configuration-files

2.png

Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created)

  1. Update server.xml located at JazzTeamServer\server\liberty\servers\clm to point to new database file, type and password
  2. If type Selected while creating keystore is pk12 Type will be PKCS12, for jks Type will be JKCS
  3. Restart the server for changes to take effect

3.png

To Configure A CA Certificate

Generate certificate Request

keytool –keystore keystore.p12 –certreq –alias default –keyalg RSA –file certreq.csr -storepass 123456
4.png

5.png

Send the certificate request generated to CA authority

Import/Receive Certificate and Add it to Keystore

  1. After the certificate is received from the authority we need to import these certificates into the keystore
  2. Import the Intermediate certificate first --> then the root certificate --> and then the signed or CA certificate
keytool -import -alias inter -file intermediate.cer -keystore keystore.p12 -storepass 123456
keytool -import -alias root -file root.cer -keystore ikeystore.p12 -storepass 123456 
keytool -import -alias default -file signedcert.cer -keystore keystore.p12 -storepass 123456 


6.png

7.png

Note:- The intermediate and root certificate should have different alias name, but the signed certificate should be imported with the same alias that was used while creating a certificate pair. After importing all three certificates you should see : "Certificate reply was installed in keystore" message.

Using IKEYCMD CLI

As IBM HTTP Server (IHS) still bundles Java 8, you can use ikeyman(GUI) or gskcmd (also known as iKeycmd) to manage certificate and keystores.

For more please refer to ConfigureCACertificates

Related topics: Deployment web home, Keytool Guide

External links:

Additional contributors: ShradhaSrivastav

This topic: Deployment > WebHome > DeploymentAdminstering > ConfigureCACertificates > ConfigureCACertificateIn703
History: r5 - 2023-12-11 - 10:16:59 - ShradhaSrivastav
This site is powered by the TWiki collaboration platformCopyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.