Importing the CA certificate into the WebSphere Application Server ICFM and Operational Decision Manager node keystore

Import the trusted, root, and intermediate certificates that you received from Certificate Authority into WebSphere® Application Server.

Procedure

  1. Upload the CA certificate file to the /opt/IBM/HTTPServer/cert directory.
  2. To stop the Deployment Manager, run the following commands as wasmgr user on the Core server: 
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/bin
./stopManager.sh -user was_admin_id -password was_admin_password
  3. Any truststore that is used to validate the signatures of certificate that is obtained from this certificate authority must have these signer certificates installed. To import the signer certificates (from root to intermediate), run the following command for your environment:

    For a three-server environment, run the following command on the Analytics server:

    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -export -db /opt/IBM/cert_files/key.kdb -pw db_password -label label_name -type kdb -target key.p12 -target_pw WebAS -target_type p12
    For example, run the follow commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell/nodes/ICFMNode
	/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -export -db /opt/IBM/cert_files/key.kdb -pw password -label "icfmdev109ihs"  -type kdb -target key.p12 -target_pw WebAS -target_type p12
    To verify whether the certificate was exported successfully, run the following command for a three-server environment:
    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -type p12 -db key.p12 -pw WebAS

    For a single-server environment, run the following command on ICFM server:

    /opt/IBM/HTTPServer/bin/gskcmd -cert -export -db /opt/IBM/HTTPServer/cert/key.kdb -pw db_password -label label_name -type kdb -target key.p12 -target_pw WebAS -target_type p12

    For example, run the following commands:

    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell/nodes/ICFMNode
/opt/IBM/HTTPServer/bin/gskcmd -cert -export -db /opt/IBM/HTTPServer/cert/key.kdb -pw password -label "icfmdev109ihs"  -type kdb -target key.p12 -target_pw WebAS -target_type p12
    To verify whether the certificate was exported successfully, run the following command for a single-server environment:
    /opt/IBM/HTTPServer/bin/gskcmd -cert -list -type p12 -db key.p12 -pw WebAS
  4. Import the signer certificates (root and intermediate) into the WebSphere Application Server plug-in keystore for CoreWebServer. Run the following command for each of the root and intermediate certificates as appropriate for your environment.
    For a three-server environment, run the following command on the Core server. For a single-server environment, run the following command on the ICFM server. 
    /opt/IBM/HTTPServer/bin/gskcmd -cert -add -type cms -db plugin-key.kdb -pw WebAS -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/Plugins/config/CoreWebServer
/opt/IBM/HTTPServer/bin/gskcmd -cert -add -type cms -db plugin-key.kdb -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
  5. Import the signer certificates (root and intermediate) into the WebSphere Application Server plug-in keystore for CoreWebServer under WebSphere Application Server Deployment Manager. Run the following command for each of the root and intermediate certificates as appropriate for your environment.
    For a three-server environment, run the following command on the Analytics server.
    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -type cms -db plugin-key.kdb -pw WebAS -label label_name -trust enable -file /opt/IBM/cert_files/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell/nodes/CoreWebNode/servers/CoreWebServer
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -type cms -db plugin-key.kdb -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/cert_files/carootcert.der
    For a single-server environment, run the following command on the ICFM server:
    /opt/IBM/HTTPServer/bin/gskcmd -cert -add -type cms -db plugin-key.kdb -pw WebAS -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell/nodes/CoreWebNode/servers/CoreWebServer
	/opt/IBM/HTTPServer/bin/gskcmd -cert -add -type cms -db plugin-key.kdb -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
  6. Import the signer certificates (root and intermediate) into the WebSphere Application Server Cell trust store. Run the following command for each of the root and intermediate certificates as appropriate for your environment.
    For a three-server environment, run the following command on the Analytics server:
    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -type p12 -db trust.p12 -pw WebAS -label label_name -trust enable -file /opt/IBM/cert_files/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -type p12 -db trust.p12 -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/cert_files/carootcert.der
    For a single-server environment, run the following command on the ICFM server:
    /opt/IBM/HTTPServer/bin/gskcmd -cert -add -type p12 -db trust.p12 -pw WebAS -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell
/opt/IBM/HTTPServer/bin/gskcmd -cert -add -type p12 -db trust.p12 -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
  7. Import the signer certificates (root and intermediate) into the WebSphere Application Server Deployment Manager profile trust store. Run the following command for each of the root and intermediate certificates.
    For a three-server environment, run the following command on the Analytics server:
    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -type p12 -db trust.p12 -pw WebAS -label label_name -trust enable -file /opt/IBM/cert_files/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/etc
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -add -type p12 -db trust.p12 -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/cert_files/carootcert.der
    For a single-server environment, run the following command on the ICFM server:
    /opt/IBM/HTTPServer/bin/gskcmd -cert -add -type p12 -db trust.p12 -pw WebAS -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/etc
/opt/IBM/HTTPServer/bin/gskcmd -cert -add -type p12 -db trust.p12 -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
  8. Import the signer certificate (only root) into the ICFM WebSphere Application Server trust database, which is located in the ICFM WebSphere Application Server profile etc directory. Run the following command as root.
    For a three-server environment, run the following command on the Core server. For a single-server environment, run the following command on the ICFM server.
    /opt/IBM/HTTPServer/bin/gskcmd -cert -add -type p12 -db trust.p12 -pw WebAS -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/ICFMProfile/etc
/opt/IBM/HTTPServer/bin/gskcmd -cert -add -type p12 -db trust.p12 -pw WebAS -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
  9. Import the server and signer certificates (from root to intermediate) into the ODM WebSphere Application Server keystore.
    For a three-server environment, run the following command on the Analytics server:
    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -export -db /opt/IBM/cert_files/key.kdb -pw db_password -label label_name -type kdb -target key.p12 -target_pw WebAS -target_type p12
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell/nodes/ODMNode
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -export -db /opt/IBM/cert_files/key.kdb -pw password -label "icfmdev109ihs"  -type kdb -target key.p12 -target_pw WebAS -target_type p12
    To verify whether the certificates were imported successfully, run the following command:
    /opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -type p12 -db key.p12 -pw WebAS
    For a single-server environment, run the following command on the ICFM server:
    /opt/IBM/HTTPServer/bin/gskcmd -cert -export -db /opt/IBM/HTTPServer/cert/key.kdb -pw db_password -label label_name -type kdb -target key.p12 -target_pw WebAS -target_type p12
    For example, run the following commands:
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/config/cells/CoreCell/nodes/ODMNode
/opt/IBM/HTTPServer/bin/gskcmd -cert -export -db /opt/IBM/HTTPServer/cert/key.kdb -pw password -label "icfmdev109ihs"  -type kdb -target key.p12 -target_pw WebAS -target_type p12
    To verify whether the certificates were imported successfully, run the following command:
    /opt/IBM/HTTPServer/bin/gskcmd -cert -list -type p12 -db key.p12 -pw WebAS
  10. Import the signer certificates into the WebSphere Application Server Java security keystore. Run the following command for each of the root and intermediate certificates.
    For a three-server environment, run the following command on the Core server:
    /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -pw changeit -type JKS -format ASCII -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following command:
    /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -pw changeit -type JKS -format ASCII -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
    Then, for a three-server environment, run the following command on the Analytics server:
    /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -pw changeit -type JKS -format ASCII -label label_name -trust enable -file //opt/IBM/cert_files/signer_cert_filename
    For example, run the following command:
    /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -pw changeit -type JKS -format ASCII -label "carootcert" -trust enable -file /opt/IBM/cert_files/carootcert.der
    For a single-server environment, run the following command on the ICFM server:
    /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -pw changeit -type JKS -format ASCII -label label_name -trust enable -file /opt/IBM/HTTPServer/cert/signer_cert_filename
    For example, run the following command:
    /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java_1.8_64/jre/lib/security/cacerts -pw changeit -type JKS -format ASCII -label "carootcert" -trust enable -file /opt/IBM/HTTPServer/cert/carootcert.der
  11. To start the Deployment Manager, run the following commands as the wasmgr user on the ICFM server (Analytics server for a three-server environment): 
    cd /opt/IBM/WebSphere/AppServer/profiles/DMProfile/bin
./startManager.sh