Generating a new key and self-signed certificate for WebSphere Application Server Liberty Profile

Complete this task when a certificate expires or if you want to update information in the certificate.

1. Determine the information that you want to use for the certificate.
   If you are updating a certificate and want to use the same information as the existing certificate, but have forgotten what this information is, you can view the existing certificate.

   Microsoft Internet Explorer

   1. Open the IBM® InfoSphere® Information Server Web console in the browser and log in.

      https://<hostname>:9443/ibm/iis/console

   2. Click the lock icon next to the secure URL and click View certificates in the pop-up window.
   3. On the Details tab, select Subject and capture the information in the Field Value area. This is the information that is used to construct the distinguished name.

   Mozilla Firefox

   1. Open the IBM InfoSphere Information Server Web console in the browser and log in.

      https://<hostname>:9443/ibm/iis/console

   2. Click the lock icon next to the secure URL and click More information in the pop-up window.
   3. Click View Certificate.
   4. On the Details tab, select Subject and capture the information in the Field Value area. This is the information that is used to construct the distinguished name.

2. Stop the application server:
   • MetadataServer.sh stop
   • net stop InfoSvr
3. Create a new keystore file with a newly generated key and self-signed certificate. (The ⇒ character indicates a line continuation.)

   cd IS_install_path/wlp/usr/servers/iis/resources/security
   IS_install_path/jdk/bin/keytool -genkeypair ⇒
   -dname distinguished_name -keystore ./iis-server-keystore.p12 ⇒
   -keypass key_password -storepass key_password -validity validity_days ⇒
   -alias iisSSL -keyalg RSA -keysize 2048 -sigalg SHA512withRSA ⇒
   -storetype PKCS12

   where:

   distinguished_name

   Defines the organizational information for the certificate. Refer to the information you collected in the first step, if you want to use the same information as before. Example:

   CN=host.example.com,OU=MyOrganization,O=MyCompany,C=US

   If you do not provide the -dname parameter and value, you will be prompted for the information.

   Important: Set the Common Name (CN) field to the value of the InfoSphere Information Server host name, to be used by remote clients to access the server. As part of the SSL handshake, clients verify that the host name that is used to access the server matches the certificate CN value (or one of the values if there are multiple values).

   key_password

   Password for the keystore. The password can be made up of only printable characters from the US-ASCII character set. In IBM WebSphere® Application Server Liberty Profile, both the key password and store password must be set to the same value.

   validity_days

   The number of days that the certificate is valid before it expires. When it expires, you must generate another certificate.

   Depending on your environment and browser, not all key algorithms (set by -keyalg and -keysize) might be supported.

   For more information on the keytool utility, see Keytool.

4. The key password in the original certificate was set during installation. (The default value is iiskeypass unless it was changed during the installation interview.) If you use different values in the new certificate for the key password (-storepass and -keypass), keystore type (-storetype), or key alias (-alias), then you must update the iis.keystore.type, iis.keystore.password, and iis.ssl.serverKeyAlias properties in the IS_install_path/wlp/usr/servers/iis/bootstrap.properties file to match the new values.
   For example

   iis.keystore.type=PKCS12
   iis.keystore.password={aes}AG0caBXHAvGL+YXDfsSJ2CA4y2vWPm7FNZgPp7377Ry9
   iis.ssl.serverKeyAlias=iisSSL

   The password value must be specified as an encrypted string. To create this value, enter the following command:

   IS_install_path/wlp/bin/securityUtility encode --encoding=aes

   You are prompted for the password. Copy the output value and paste it into the IS_install_path/wlp/usr/servers/iis/bootstrap.properties file.

   For more information on the securityUtility command, see securityUtility.

   It's not recommended to change the location of the keystore file.

5. If you change the iis.keystore.password value, you must update the trust store password.
   By default, the iis.keystore.password property in the IS_install_path/wlp/usr/servers/iis/bootstrap.properties file is also used to specify the password of the Liberty profile trust store, which is used for outbound SSL requests from the application server). This trust store is defined as follows in the IS_install_path/wlp/usr/servers/iis/server.xml file:

   <keyStore id="iis-server-truststore"
     location="${server.config.dir}/resources/security/iis-server-trust⇒
   store.jks"
     password="${iis.keystore.password}" type="${iis.truststore.type}"/>

   To update the trust store password, run the following command. (The ⇒ character indicates a line continuation.)

   IS_install_path/jdk/bin/keytool -storepasswd -storepass old_password ⇒
   -new new_password -keystore IS_install_path/wlp/usr/servers/iis/re⇒
   sources/security/iis-server-truststore.jks

6. Start the application server:
   • MetadataServer.sh run
   • net start InfoSvr