Switching default Copy Services Manager graphical user interface(GUI) HTTPS certificates: Automated process

Edit online

You can switch the default Copy Services Manager GUI certificates that are supplied by Copy Services Manager. With this automated process, you can switch default certificates by uploading the HTTPS truststore file from the GUI.

About this task

The automated process switches out the default HTTPS truststore file. The default truststore file is:
  • wlp/usr/servers/csmServer/resources/security/key.jks
This file is at these locations.
  • path_prefix/opt/IBM/CSM/ for z/OS®
  • install dir/liberty/ for distributed systems

To switch out the default Copy Services Manager GUI HTTPS certificates by using the automated process from Copy Services Manager GUI, complete the following steps.

Restriction: You cannot follow this procedure to switch out the default HTTPS certificates when Copy Services Manager is installed on the DS8000® Hardware Management Console (HMC). To switch out the default HTTPS certificates when Copy Services Manager is installed on the DS8000 Hardware Management Console (HMC), see the topic titled Communications Certificate in the latest version of DS8900 documentation.

Procedure

  1. Navigate to the Copy Services Manager GUI as a user with administrator privileges.
  2. Click Settings > Advanced Tools.
  3. Scroll to the Import custom Truststore for HTTPS connections to the server section and click Import Truststore.
    The Import Truststore window is displayed.
  4. Click Choose a Truststore to import and select the truststore file that you want to upload.
  5. Optional: If the truststore file is password-protected, type the password in Truststore password (optional) box.
  6. Click Use uploaded Truststore.
    A confirmation message that a restart of the server is required for the truststore file to take effect, is displayed.
  7. Click OK.

Results

When the server is restarted, HTTPS communication uses the new truststore file.

If the GUI does not load after this procedure, it can be due to issues in loading the new keystore. To resolve the issue, review the messages log, which is available at the following path.

<CSM Installation Directory>/liberty/wlp/usr/servers/csmServer/logs/messages.log

Look for a message about the truststore file. All errors that are related to the new truststore file, must be resolved to be able to access the GUI.

A backup of the Copy Services Manager configuration is taken before the new truststore is implemented. The original truststore is also backed up to the file system with the extension .bak appended. You can revert the uploaded truststore and restore the original truststore. To restore the original truststore, remove the newly created truststore and rename the .bak file to its original name. If you are switching between a P12 and JKS file format, a backup .bak file is not created for the previous file type. If you would like to restore to the old file, change the bootstrap.property to point to the previous file and set the correct password. Clear text is the acceptable format and it is converted to a hash algorithm upon restart of the server or if a new truststore is uploaded.
Note: For more information , see Restoring the Copy Services Manager database.