Certificate has expired

Use this example to help you to re-deploy an expired self-signed certificate.

Symptoms

The error message 'Security certificate has expired.' is displayed.

Cause

Your self-signed certificate has expired and needs to be renewed.

Resolution

Re-configure your expired self-signed certificate for SSL.

1. Delete the old keystore
Delete the old keystore file, the <HOME>/IBM®/LogAnalysis/wlp/usr/servers/Unity/resources/security/key.jks file.
2. Generate the key
Run one of the following commands depending on which signature algorithm you are using:
  • For users of the SHA1withRSA signature algorithm:
    ./keytool -genkey -keystore ~/IBM/LogAnalysis/wlp/usr/
    servers/Unity/resources/security/key.jks 
    -storepass loganalytics -keypass loganalytics -validity 365 
    -dname "CN=abc12345678.in.example.com, OU=IT, O=EXAMPLE LTD, 
    L=Bangalore,S=Karnataka, C=IN" -alias default -keyalg RSA 
    -sigalg SHA1withRSA -ext san=dns:localhost.localdomain,dns:abc12345678,
    dns:abc12345678.example.com,dns:localhost,ip:1.234.56.78 -keysize <encryption-key-size>
    Where <encryption-key-size> is the size of the encryption key; for example, 2048.
  • For users of the SHA256withRSA signature algorithm:
    ./keytool -genkey -keystore ~/IBM/LogAnalysis/wlp/usr/
    servers/Unity/resources/security/key.jks 
    -storepass loganalytics -keypass loganalytics -validity 365 
    -dname "CN=abc12345678.in.example.com, OU=IT, O=EXAMPLE LTD, 
    L=Bangalore,S=Karnataka, C=IN" -alias default -keyalg RSA 
    -sigalg SHA256withRSA -ext san=dns:localhost.localdomain,dns:abc12345678,
    dns:abc12345678.example.com,dns:localhost,ip:1.234.56.78 -keysize <encryption-key-size>
    Where <encryption-key-size> is the size of the encryption key, for example, 2048.

The keystore file for Log Analysis is <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/resources/security/key.jks.

The value for the -dname parameter is the domain that your server is identified with. The details that are specified here are used to identify the server. For example, this parameter is specified as follows in this example:
-dname "CN=abc12345678.in.example.com, OU=IT, O=EXAMPLE LTD, 
L=Bangalore,S=Karnataka, C=IN"
where CN is the common name. OU is the organizational unit. O is the organization. L is the location. S is the state or province. C is the country.
3. Export the self-signed certificate to a file
After you generate the keystore in the first step, a default self-signed certificate is generated with an alias called default. You need to export this certificate to a file. After this step is done, you can import the file into the <HOME>/IBM/LogAnalysis/ibm-java folder that is part of the folders that are created by Log Analysis when it is installed. See instructions in Step 3.
Completing this step ensures that all the components of Log Analysis use the same certificate.
This step is required because you are generating a new keystore and this change requires you to refresh the public certificates for the clients.
If you do not delete your old keystore certificate before you generate the new one, and the older certificate used the same alias, that is default, an error can result. To avoid this, you can delete the older certificates or you can change the alias value.
To export the certificate into a file, run the following command:
./keytool -exportcert
-keystore ~/IBM/LogAnalysis/
wlp/usr/servers/Unity/resources/security/key.jks 
-alias default -file client.crt 
When prompted, provide the Liberty keystore password; for example: loganalytics.
4. Import the self-signed certificate
To import this certificate into the Java™ runtime environment keystore, enter the following command:
./keytool
-import -keystore ~/IBM/LogAnalysis/ibm-java/
lib/security/cacerts -alias default -file client.crt
When prompted, provide the Java keystore password; for example: changeit.

If you installed remote instances of Log Analysis components like the EIF Receiver, IBM Tivoli® Monitoring Log File Agent, or Logstash, you must import the certificate in the Java runtime environment on the remote servers.

5. Update the Solr related certificates
Import the Solr certificate into the keystore using the following commands.

./keytool -import -trustcacerts -keystore <HOME>/IBM/LogAnalysis/wlp/usr /servers/Unity/resources/security/key.jks -alias SolrCert123 -file <HOME>/solrConfigs/solr_ssl_shared.cer 
When prompted, specify the same store password that was specified in step 1 during the keystore creation.

If a warning is shown that the alias already exists, then rerun the command with an alternative alias name of your choice.

6. Restart Log Analysis
Run the following command to restart Log Analysis.
<HOME>/IBM/LogAnalysis/utilities/unity.sh -restart