EditAttachPrintable
r6 - 2020-02-27 - 06:09:18 - ShradhaSrivastavYou are here: TWiki >  Deployment Web > DeploymentAdminstering > ConfigureCACertificates

Configure CA and Self-Signed Certificates in Liberty and IHS for ELM Applications uc.png

Authors: ShradhaSrivastav, BharathRao
Build basis: 6.0.1 to 6.0.6.1

Understanding SSL Certificates

All applications which run on HTTPS via the web require a Security Certificate, or Public Key Certificate. This is used to validate that the data is coming from a trusted source. The security certificate bundled with the Jazz Team Server and ELM applications is signed to localhost. As soon as the application is accessed with a URL other than localhost (for example, hostname or IP address), the browser will present the following errors:

  • The security certificate presented by this website was not issued by a trusted certificate authority.
  • The security certificate presented by this website was issued for a different website's address.
These errors occur because:
  • The security certificate was self-signed, meaning that the server being accessed created the certificate, and
  • The security certificate was created for localhost, and you are accessing the server using a different hostname, IP address or the appropriate Public URI.

In order to resolve these errors, you can:
  • Purchase a certificate from a well-known trusted Certificate Authority and install it.
  • If you do not need encryption, configure the server for HTTP rather than HTTPS access.
  • Configure the browser to ignore or accept this invalid certificate

In this article we will provide a guide on how to configure CA Certificate purchased from well-known Authority or internal CA certificate.

Using IKEYMAN (Graphical User Interface)

Create Keystore (Optional, if existing keystore is not used)

  1. Open ikeyman.exe, Key Database File -> New
  2. Select any Type
  3. Provide File name and path to the file

    1.png

Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created)

  1. Update server.xml located at JazzTeamServer\server\liberty\servers\clm to point to new database file, type and password
  2. If type Selected while creating keystore is pk12 Type will be PKCS12, for jks Type will be JKCS
  3. Restart the server for changes to take effect

2.png

Create Self-Signed Certificate

  1. Open ikeyman (GUI) utility located at JazzTeamServer\server\jre\bin
  2. Key Database File -> Open -> Browser to keystore file, enter password to open the file
  3. Click Create -> New Self Signed Certificate and fill the required details
  4. Restart server for changes to take effect

3.png

4.png

5.png

Configure CA Certificate

  1. Generate certificate Request
    1. Open the Keystore database file using ikeyman
    2. Click Create -> New Certificate request and fill the necessary details
      6.png
    3. 7.png

  1. Send the certificate request generated to CA authority
  2. Receive Certificate and Add it to Keystore
    1. Open the Keystore database file using ikeyman
    2. Click Receive -> Browse to the certificate received

8.png

9.png

10.png

Using IKEYCMD CLI


Installation Paths for each component will be:

   For CLM Liberty use ikeycmd
           JazzTeamServerInstall\server\jre\bin
   IBM HTTP Server use gskcmd
          IHSinstall_root\bin
   

Create Keystore (Optional, if existing keystore is not used)

ikeycmd -keydb -create -db .kdb -pw  -type cms -expire  -stash .sth

cmd1.png

Update server.xml (Only for Liberty) to point to new key store (Optional, only if new keystore is created)

cmd2.png

Create Self-Signed certificate

ikeycmd -cert -create -db  -pw  -label 

cmd3.png

Configure CA Certificate

  1. Generate certificate Request
ikeycmd -certreq -create -db  -pw  -label 

cmd4.png

  1. Send the certificate request generated to CA authority
  2. Receive Certificate and Add it to Keystore
ikeycmd -cert -receive -file  -db  [-pw password | -stashed] -format  -default_cert 

cmd5.png

  1. Intermediate Certificate
In case of chain-intermediate certificate add then to Signers in keystore

For Chrome In case of using Internal CA when accessing the application in Chrome it still displays the certificate warning because of stringent security feature added by chrome, to fix that follow the steps from below link https://www.techrepublic.com/article/how-to-resolve-ssl-certificate-warnings-produced-by-the-latest-chrome-update/

Related topics: Deployment web home, Deployment web home

External links:

Additional contributors: ShradhaSrivastav, BharathRao

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r16 | r8 < r7 < r6 < r5 | More topic actions...
 
This site is powered by the TWiki collaboration platformCopyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our Terms of Use. Please read the following disclaimer.