Web server plug-in default configuration in SSL
When you create a new web server definition, WebSphere® Application Server associates the web server plug-in with a Certificate Management Services (CMS) keystore for a specific node. The keystore contains all of the signers for the current cell with the self-signed or chained certificate, which belongs to the node. The plug-in can communicate securely to WebSphere Application Server, even when the plug-in is configured with Secure Sockets Layer (SSL) client authentication enabled.
When you set the web server definition to webserver1 on node myhostNode01, WebSphere Application Server creates the keystore configuration. The keystore is scoped to the webserver1 server, which makes it visible to this server only. Other processes cannot use this keystore definition.
![[IBM i]](../images/ngibmi.svg)
The default password for the keystore is WebAS.
You can change the default keystore password by using either the administrative
console or the appropriate AdminTask command. Also,
you can create only one CMSKeyStore entry for each management scope.
If a CMS keystore already exists for scope (cell):myhostCell01:(node):myhostNode01:(server):webserver1,
then you cannot create another CMSKeyStore entry. WebSphere Application
Server uses the plug-in name to create a self-signed certificate,
if a self-signed certificate does not already exist for that particular
node. If a self-signed certificate already exists for the node, then
the certificate is put into the CMS keystore and all the signers from
the cell are added, by default.
![[AIX Solaris HP-UX Linux Windows]](../images/ngdist.svg)
![[z/OS]](../images/ngzos.svg)
The following sample code from the security.xml file
shows the configuration entries for the web server plug-in.<keyStores xmi:id="KeyStore_1132357815719" name="CMSKeyStore"
password="{xor}HRYNFAtrbxEwOzpvbhw6MzM=" provider="IBMCMSProvider"
location="C:\WASX_e0540.11\AppServer\profiles\AppSrv01/config/cells
/myhostCell01/nodes/myhostNode01/servers/webserver1/plugin-key.kdb"
type="CMSKS" fileBased="true" createStashFileForCMS="true"
managementScope="ManagementScope_1132357815718"/>
<managementScopes xmi:id="ManagementScope_1132357815718" scopeName="
(cell):myhostCell01:(node):myhostNode01:(server):webserver1" scopeType="server"/>C:\WebSphere\AppServer\profiles\Dmgr01\config\cells\myhostCell01\nodes
\myhostNode01\servers\webserver1\plugin-key.kdb
C:\WebSphere\AppServer\profiles\Dmgr01\config\cells\myhostCell01
\nodes\myhostNode01\servers\webserver1\plugin-key.sth$AdminTask createCMSKeyStore /config/cells/myhostCell01/nodes/myhostNode01
/servers/webserver1/plugin-key.kdb myhost.austin.ibm.com- You can create only one CMSKeyStore entry for each management scope. If a CMS keystore already exists for scope (cell):myhostCell01:(node):myhostNode01:(server):webserver1, then you cannot create another CMSKeyStore entry
- The Uniform Resource Identifier (URI) for the keystore name is /config/cells/myhostCell01/nodes/myhostNode01/servers/webserver1/plugin-key.kdb
- The host name in the plug-in location is myhost.austin.ibm.com. WebSphere Application Server uses this name to create a chained certificate, if a chained certificate does not already exist for that particular node. If a chained certificate already exists for the node, then the certificate is put into the CMS keystore and all the signers from the cell are added, by default.
When additional nodes are federated, the signers for these nodes are not automatically added to each web server for the CMS keystore. For the web server plug-in to be able to communicate with a newly federated node, you must manually exchange signers with the CMSKeyStore keystore. Use the administrative console keystore certificate management function to exchange signers. For more information, see Adding the correct SSL Signer certificates to the plug-in keystore.