Configuring certificates for a HAProxy
Learn how to configure your certificates for a high availability disaster recovery (HADR) hybrid deployment.
About this task
distinguished_name = req_distinguished_name
req_extensions = req_ext
countryName = Country name from profile
countryName_default = US
stateOrProvinceName = State or provice from profile
localityName = Locality name from profile
organizationName = Organization name
organizationName_default = IBM
organizationalUnitName = Organization unit from profile
commonName = https://proxy.east.example.com
subjectAltName = @alt_names
DNS.1 = https://proxy.west.example.com
DNS.2 = ...
DNS.3 = ...
- Download the root Certificate Authority (CA) and intermediate CA certificates.
- Generate a Privacy Enhanced Mail (PEM) file with downloaded certificates. Import the
certificates into the DASH
NodeDefaultKeyStoresigner certificates.Concatenate the private key with the server certificate:
cat proxy1.key proxy1.crt >> proxy1.pem
- Generate Certificate Signing Requests (CSRs) for both the DASH (in WebSphere® Application Server) and the HAproxy instances. Keep the private key file for the HAproxy hosts safe. If WebSphere Application Server is used to generate the CSR for DASH, the private key is stored in the WebSphere Application Server vault.
- Generate the server certificates for the CSRs by requesting them from the root CA.
- Add the server certificate for Jazz® for Service
Management or DASH into the
NodeDefaultKeyStorepersonal certificates in WebSphere Application Server.
- Generate a PEM file for HAproxy hosts with the HAproxy server certificate and the private key file from step 3.
- After the certificate files and keys are generated for the proxy hosts, create a new
directory on each HAproxy host server, for example, the /root/new_certs
directory. Add all the downloaded and created certificates to this directory. These certificates
will be required to run the HAproxy.
You can manage certificate operations that involve personal certificates, signer certificates, and personal certificate requests on the administrative WebSphere Application Server console. WebSphere Application Server uses the certificates that reside in keystores to establish trust for a Secure Sockets Layer (SSL) connection. Click . Then, select an existing keystore or create a new keystore. After selecting a keystore, and depending on the type of certificate you need, choose the type of certificate under Related Items.For more information, see the WebSphere Application Server documentation: Certificate management in SSL for version 8.5.5 and Certificate management in SSL for version 9.0.5
- Run the following command to verify that you have the correct certificates:
openssl s_client -showcerts -CAfile /root/new_certs/caroot.crt -servername proxy.east.example.com -connect localhost:3443 </dev/null