Creating signed WebSphere Application Server certificates

Learn how to create signed certificates for a high availability disaster recovery (HADR) hybrid deployment.

About this task

Complete the following steps to configure WebSphere® Application Server certificates. Set up certificate authority (CA) signed certificates for WebGUI load balancing.

Procedure

  1. Create certificate signing requests (CSRs) on both WebSphere Application Server servers. On the WebSphere Application Server console, go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificate requests > New. Complete the required fields. Ensure that the common name value is set to your DASH domain name.
  2. Generate a signed server certificate. Sign your CSR with an approved CA authority, which creates a signed server certificate. Complete this step for the CSR on the primary and backup DASH servers.
  3. Import the correct signed server certificate on each DASH server. On both DASH servers, go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates > Recieve from certificate authority.
  4. Import the intermediate and root CA certificates.
    1. Add the intermediate CA certificates to the WebSphere Application Server keystores. On both DASH servers, add the intermediate CA certificate. Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Signer certificates > Add and add the intermediate certificate.
    2. Add the root CA certificates to the WebSphere Application Server keystores. On both DASH servers, add the root CA certificate. Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Signer certificates > Add and add the root certificate.
  5. Update WebSphere Application Server to use the new certificates. Ensure that the certificates you uploaded to DASH are selected as the default certificates. Go to Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings. Select the default server certificate alias and default client certificate alias to be the aliases of the new certificates. Go to Security > SSL certificate and key management > Manage endpoint security configurations > JazzSMNode01. For inbound connections, set the Certificate alias in key store to the certificate that was added to the keystore.
  6. Restart all DASH server nodes.

What to do next

Server and cluster certificates need to be regenerated manually each time one of the following milestones are reached.
  • Server certificates have expired.
  • Root Certificate Authority (CA) certs are renewed or refreshed.
  • Intermediate CA certs are renewed or refreshed.
To regenerate certificates, repeat the certificate setup steps.