Configuring certificates for a HAProxy

High availability iconLearn how to configure your certificates for a high availability disaster recovery (HADR) hybrid deployment.

About this task

Create certificates for all WebGUI instance and HAproxy URLs. The following example shows the settings that you could use to generate one certificate for both HAproxies. For more information, see HAproxy configuration.
[req] 
distinguished_name       = req_distinguished_name 
req_extensions           = req_ext 
[req_distinguished_name] 
countryName              = Country name from profile 
countryName_default      = US 
stateOrProvinceName      = State or provice from profile 
localityName             = Locality name from profile 
organizationName         = Organization name 
organizationName_default = IBM 
organizationalUnitName   = Organization unit from profile 
commonName               = https://proxy.east.example.com 
[req_ext] 
subjectAltName           = @alt_names 
[alt_names] 
DNS.1 = https://proxy.west.example.com 
DNS.2 = ... 
DNS.3 = ...

Procedure

  1. Download the root Certificate Authority (CA) and intermediate CA certificates.
  2. Generate a Privacy Enhanced Mail (PEM) file with downloaded certificates. Import the certificates into the DASH NodeDefaultKeyStore signer certificates.
    Concatenate the private key with the server certificate:
    cat proxy1.key proxy1.crt >> proxy1.pem
  3. Generate Certificate Signing Requests (CSRs) for both the DASH (in WebSphere® Application Server) and the HAproxy instances. Keep the private key file for the HAproxy hosts safe. If WebSphere Application Server is used to generate the CSR for DASH, the private key is stored in the WebSphere Application Server vault.
  4. Generate the server certificates for the CSRs by requesting them from the root CA.
  5. Add the server certificate for Jazz® for Service Management or DASH into the NodeDefaultKeyStore personal certificates in WebSphere Application Server.
  6. Generate a PEM file for HAproxy hosts with the HAproxy server certificate and the private key file from step 3.
  7. After the certificate files and keys are generated for the proxy hosts, create a new directory on each HAproxy host server, for example, the /root/new_certs directory. Add all the downloaded and created certificates to this directory. These certificates will be required to run the HAproxy.

    You can manage certificate operations that involve personal certificates, signer certificates, and personal certificate requests on the administrative WebSphere Application Server console. WebSphere Application Server uses the certificates that reside in keystores to establish trust for a Secure Sockets Layer (SSL) connection. Click Security > SSL certificate and key management > Manage endpoint security configurations > Inbound | Outbound > SSL_configuration_name > Key stores and certificates. Then, select an existing keystore or create a new keystore. After selecting a keystore, and depending on the type of certificate you need, choose the type of certificate under Related Items.

    For more information, see the WebSphere Application Server documentation: Certificate management in SSL for version 8.5.5 external icon and Certificate management in SSL for version 9.0.5 external icon
  8. Run the following command to verify that you have the correct certificates:
    openssl s_client -showcerts -CAfile /root/new_certs/caroot.crt -servername proxy.east.example.com -connect localhost:3443 </dev/null

What to do next

Server and cluster certificates need to be regenerated manually each time one of the following milestones are reached.
  • Server certificates have expired.
  • Root Certificate Authority (CA) certs are renewed or refreshed.
  • Intermediate CA certs are renewed or refreshed.
To regenerate certificates, repeat the certificate setup steps.