Configuring CA certifications

The IBM® Counter Fraud Management (ICFM) base installation uses self-signed certificates in all the components. You can replace the self-signed certificates with trusted certificates.

About this task

Trusted certificates must be imported into the following ICFM components (at a minimum):

IBM HTTP Server – The ICFM application is accessed through this component.
MQTT Server – Client browsers send messages to ICFM application by connecting to an MQTT server.

Procedure

To replace the self-signed certificates:

Create a request for a personal certificate from IBM HTTP Server and ICFM application server keystores.
Submit certificate requests to a Certificate Authority (CA). In turn, the certificate authority issues trusted certificates by using the certificate requests.
Import Root and Intermediate Certificates into IBM HTTP Server, the WebSphere® plug-in, and ICFM application server keystores.
Create a request for a personal certificate from IBM HTTP Server keystore.
Submit certificate requests to a Certificate Authority (CA). In turn, the certificate authority issues trusted certificates by using the certificate requests.
Import the root and intermediate certificates into Data Import, IBM HTTP Server, the WebSphere plug-in, ICFM and ODM application server keystores.
Import trusted certificates into IBM HTTP Server, ICFM, and ICFM application server keystores. Then, restart IBM HTTP Server and the ICFM application servers.
Note: Unless you have a requirement to change the WebSphere Application Server certificates, it is sufficient to only change the IBM HTTP Server (IHS) certificate. The IHS certificate is the only certificate with which users of the ICFM web GUI interact .

Generating a CSR from the IBM HTTP Server keystore
A Certificate Signing Request (CSR) is an encrypted text that is generated on the server that the certificate is used on. It contains organization information such as your organization name, common name (domain name), locality, and country that is included in your certificate. Certificate Authority uses the CSR to generate a trusted certificate.
Importing the CA certificate into the IBM HTTP Server keystore
You must import the certificates that you received from Certificate Authority into the IBM HTTP Server keystore and set the trusted certificate as the default certificate in the keystore.
Importing the CA certificate into the WebSphere Application Server ICFM and Operational Decision Manager node keystore
Import the trusted, root, and intermediate certificates that you received from Certificate Authority into WebSphere Application Server.
Importing CA certificates into the Data Import keystore
Load any root and intermediate certificates that were provided by the Certificate Authority into the Data Import keystore file. This step is required for SSL communication to work between the Data Import tool and WebSphere Application Server ICFM node.
Replacing the existing certificate with the new CA certificate
You must now replace the existing certificate with the one that you just created. The replace certificate option not only replaces the old default certificate with a new one but also replaces any occurrences of the signer of the old certificate with the signer of the new certificate. The configuration is also checked for references to the alias name of the old certificate and replaces it with the alias name of the new certificate.
Restarting ICFM components
You must now restart all the ICFM components.

Parent topic: Security