Switching default Copy Services Manager graphical user interface(GUI) HTTPS certificates: Manual Process

Edit online

You can switch the default Copy Services Manager GUI certificates that are supplied by Copy Services Manager.

About this task

To switch out the default Copy Services Manager GUI HTTPS certificates, you need to change the keystore file that is used by the csmServer application server that is running under WebSpere Liberty. The default keystore file is:

  • wlp/usr/servers/csmServer/resources/security/key.jks

This file is at these locations.

  • path_prefix/opt/IBM/CSM/ for z/OS®
  • install dir/liberty/ for distributed systems

You can create new versions of this file by using iKeyman, which is distributed with the Copy Services Manager version of Java™.

Note:
  • You can locate the iKeyman tool at install dir/liberty/wlp/IBM/Java/jre/bin/ikeyman (or ikeyman.exe on Windows systems).
  • The iKeyman tool is not available on z/OS. Therefore, you must first complete this procedure on a distributed system, and then upload the changes to the z/OS server. The JKS files need to be uploaded to z/OS UNIX System Services in a binary format.
  • On z/OS, you can use the command-line based tool ikeycmd located in path_prefix/opt/IBM/CSM/Java/bin to create and manage key files and certificates. However, the commands are not described here in detail. For more information, use the ikeycmd -help command in ikeycmd.
Restriction: You cannot follow this procedure to switch out the default https certificates when Copy Services Manager is installed on the DS8000® Hardware Management Console (HMC).

When you switch default Copy Services Manager certificates, you can use a shared custom certificate for all your Copy Services Manager servers (Active and Standby server), or have dedicated certificates for each Copy Services Manager server.

You can also encrypt the keystore passwords to avoid specifying plain text passwords in property files. Use the securityUtility script to encode a password. The tool is at these locations.
  • path_prefix/opt/IBM/CSM/wlp/bin/ for z/OS®
  • install dir/liberty/wlp/bin/ for distributed
Usage example:
wlp/bin> securityUtility encode --encoding=xor passw0rd
{xor}Lz4sLChvLTs=

Encoding options:
--encoding={xor|aes|hash}
    Specify how to encode the password. Supported encodings are xor, aes,
    and hash. The default encoding is xor.
Note: Copy Services Manager currently supports encrypted passwords for the HTTPS keystore only by XOR encoding.

Procedure

Follow these steps to switch out the default certificates that are assigned by Copy Services Manager. The example uses different keystore file names to clearly differentiate the configuration from default keystores and certificates. It also prevents you from overwriting the original files.

  1. Back up the original versions of the key.jks files to a new directory.
  2. In iKeyman, select Key Database File > New to create a new keystore file, for example, myCsmKeyStore.jks file, and provide a password for it.
    Note: If you use the default file name key.jks, save the new file to a different location from the existing version of the file so that you do not overwrite it.
  3. In iKeyman, select Key database content > Personal Certificates > New Self-Signed to generate a new self-signed certificate. Or, you can choose to import a signed certificate, by selecting Import.
    1. Assign a label to the self-signed certificate. For example, you can select a label such as csm-<servername> to indicate that the label is different from the default.
    2. Enter a key size of at least 2048 for a new self-signed certificate.
    3. Change the default algorithm to a more-secure signature algorithm. The iKeyman tool suggests an SHA-1 signing algorithm, and a one-year expiration by default. You can change the signature algorithm to that of SHA256WithRSA, and add an extended expiration date.
  4. Optional: If you want dedicated (self) signed server certificates for each Copy Services Manager server, repeat step 3 to create another keystore file with another (self) signed certificate. For dedicated (self) signed server certificates, enter the server name in the keystore file names as well, for example, myCsmKeyStore <ServerName>.jks
  5. Edit the bootstrap.properties file to point the server to use the new keystore file that contains the SSL certificate. In the bootstrap.properties file for the csmServer application, you can define the HTTPS keystore that is used by browser connections to the Copy Services Manager server GUI. The bootstrap.properties file is at these locations.
    • path_prefix/opt/IBM/CSM/wlp/usr/servers/csmServer/ for z/OS
    • install dir/liberty/wlp/usr/servers/csmServer/ for distributed systems

    If you do not specify a full path name for keystore_location, you can copy the myCsmKeyStore<ServerName>.jks file to the default folders. This ensures that the file is automatically picked up with a Copy Services Manager server backup when the backup is created with Copy Services Manager 6.2.9 or higher. These are the default folders for the keystore file.

    • path_prefix/opt/IBM/CSM/wlp/usr/servers/csmServer/resources/security for z/OS
    • install dir/liberty/wlp/usr/servers/csmServer/resources/security for distributed systems

    The default path name of keystore_location is where you copy the keystore file, therefore you need to specify only your keystore file. Following example shows how to specify the copied keystore file located in csmServer/resources/security.

    #relative to csmServer/resources/security
keystore_location=myCsmKeyStore<ServerName>.jks
keystore_password=<assigned password>
    Note: In the bootstrap.properties file, when you enter the value for keystore_location, use a slash ‘/’ as a path separator. When you use a backslash, you must add two backslashes together, such as ‘\\’. Adding a single backslash can cause the file to not be found. The Copy Services Manager server can even fail to start.

    If you do not define a keystore_location, the server defaults to use a key.jks file in the resources/security directory, when the Copy Services Manager server is started.

    If the specified keystore file is not found when, the Copy Services Manager server starts, a default file is created to serve browser connection requests to the Copy Services Manager GUI. This file has a certificate with an expiration of 1 year.

    The password that is defined in keystore_password is eXclusive OR (XOR) encrypted with the securityUtility.

    For more information, see bootstrap.properties file.

  6. Restart the Copy Services Manager server for the changes to take effect. You can check the csmServer messages.log file to check whether the bootstrap.properties configuration changes were successful and the correct keystore and certificate is used. The csmServer messages.log file is at these locations.
    • path_prefix/opt/IBM/CSM/wlp/usr/servers/csmServer/logs for z/OS
    • install dir/liberty/wlp/usr/servers/csmServer/logs for distributed systems

Results

The default Copy Services Manager certificates that are supplied by Copy Services Manager GUI for browser HTTPS requests are switched out.