Learn how to configure your certificates for a high availability disaster
recovery (HADR) hybrid deployment.
About this task
Create certificates for all WebGUI instance and
HAproxy URLs. The following example shows the settings that you could use to generate one
certificate for both HAproxies. For more information, see HAproxy configuration.[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
[req_distinguished_name]
countryName = Country name from profile
countryName_default = US
stateOrProvinceName = State or provice from profile
localityName = Locality name from profile
organizationName = Organization name
organizationName_default = IBM
organizationalUnitName = Organization unit from profile
commonName = https://proxy.east.example.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = https://proxy.west.example.com
DNS.2 = ...
DNS.3 = ...
Procedure
-
Download the root Certificate Authority (CA) and intermediate CA certificates.
- Generate a Privacy Enhanced Mail (PEM) file with downloaded certificates. Import the
certificates into the DASH
NodeDefaultKeyStore
signer certificates. Concatenate the private key
with the server
certificate:
cat proxy1.key proxy1.crt >> proxy1.pem
- Generate Certificate Signing Requests (CSRs) for both the DASH (in WebSphere®
Application Server) and the HAproxy instances.
Keep the private key file for the HAproxy hosts safe. If WebSphere
Application Server is used to generate the CSR
for DASH,
the private key is stored in the WebSphere
Application Server vault.
- Generate the server certificates for the CSRs by requesting them from the root
CA.
- Add the server certificate for Jazz® for Service
Management or DASH into the
NodeDefaultKeyStore
personal certificates in WebSphere
Application Server.
- Generate a PEM file for HAproxy hosts with the HAproxy server certificate and the private
key file from step 3.
- After the certificate files and keys are generated for the proxy hosts, create a new
directory on each HAproxy host server, for example, the /root/new_certs
directory. Add all the downloaded and created certificates to this directory. These certificates
will be required to run the HAproxy.
You can manage
certificate operations that involve personal certificates, signer certificates, and personal
certificate requests on the administrative WebSphere
Application Server console. WebSphere
Application Server uses the certificates that
reside in keystores to establish trust for a Secure Sockets Layer (SSL) connection. Click
. Then, select an existing keystore or create a new
keystore. After selecting a keystore, and depending on the type of certificate you need, choose the
type of certificate under Related Items.
For more information, see the
WebSphere
Application Server documentation:
Certificate management in SSL for version 8.5.5 and
Certificate management in SSL for version 9.0.5
- Run the following command to verify that you have the correct certificates:
openssl s_client -showcerts -CAfile /root/new_certs/caroot.crt -servername proxy.east.example.com -connect localhost:3443 </dev/null
What to do next
Server and cluster certificates need to be regenerated manually each
time one of the following milestones are reached.
- Server certificates have expired.
- Root Certificate Authority (CA) certs are renewed or refreshed.
- Intermediate CA certs are renewed or refreshed.
To regenerate certificates, repeat the certificate setup steps.