Certificate has expired
Use this example to help you to re-deploy an expired self-signed certificate.
Symptoms
The error message 'Security certificate has expired.' is displayed.
Cause
Your self-signed certificate has expired and needs to be renewed.
Resolution
Re-configure your expired self-signed certificate for SSL.
- 1. Delete the old keystore
- Delete the old keystore file, the <HOME>/IBM®/LogAnalysis/wlp/usr/servers/Unity/resources/security/key.jks file.
- 2. Generate the key
-
Run one of the following commands depending on which signature algorithm you are using:
- For users of the
SHA1withRSA
signature algorithm:
Where./keytool -genkey -keystore ~/IBM/LogAnalysis/wlp/usr/ servers/Unity/resources/security/key.jks -storepass loganalytics -keypass loganalytics -validity 365 -dname "CN=abc12345678.in.example.com, OU=IT, O=EXAMPLE LTD, L=Bangalore,S=Karnataka, C=IN" -alias default -keyalg RSA -sigalg SHA1withRSA -ext san=dns:localhost.localdomain,dns:abc12345678, dns:abc12345678.example.com,dns:localhost,ip:1.234.56.78 -keysize <encryption-key-size>
<encryption-key-size>
is the size of the encryption key; for example, 2048. - For users of the
SHA256withRSA
signature algorithm:
Where./keytool -genkey -keystore ~/IBM/LogAnalysis/wlp/usr/ servers/Unity/resources/security/key.jks -storepass loganalytics -keypass loganalytics -validity 365 -dname "CN=abc12345678.in.example.com, OU=IT, O=EXAMPLE LTD, L=Bangalore,S=Karnataka, C=IN" -alias default -keyalg RSA -sigalg SHA256withRSA -ext san=dns:localhost.localdomain,dns:abc12345678, dns:abc12345678.example.com,dns:localhost,ip:1.234.56.78 -keysize <encryption-key-size>
<encryption-key-size>
is the size of the encryption key, for example, 2048.
The keystore file for Log Analysis is <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/resources/security/key.jks.
The value for the-dname
parameter is the domain that your server is identified with. The details that are specified here are used to identify the server. For example, this parameter is specified as follows in this example:
where-dname "CN=abc12345678.in.example.com, OU=IT, O=EXAMPLE LTD, L=Bangalore,S=Karnataka, C=IN"
CN
is the common name.OU
is the organizational unit.O
is the organization.L
is the location.S
is the state or province.C
is the country. - For users of the
- 3. Export the self-signed certificate to a file
- After you generate the keystore in the first step, a default self-signed certificate is
generated with an alias called
default
. You need to export this certificate to a file. After this step is done, you can import the file into the <HOME>/IBM/LogAnalysis/ibm-java folder that is part of the folders that are created by Log Analysis when it is installed. See instructions in Step 3. - 4. Import the self-signed certificate
-
To import this certificate into the Java™ runtime environment keystore, enter the following command:
When prompted, provide the Java keystore password; for example:./keytool -import -keystore ~/IBM/LogAnalysis/ibm-java/ lib/security/cacerts -alias default -file client.crt
changeit
.If you installed remote instances of Log Analysis components like the EIF Receiver, IBM Tivoli® Monitoring Log File Agent, or Logstash, you must import the certificate in the Java runtime environment on the remote servers.
- 5. Update the Solr related certificates
- Import the Solr certificate into the keystore using the following commands.
When prompted, specify the same store password that was specified in step 1 during the keystore creation../keytool -import -trustcacerts -keystore <HOME>/IBM/LogAnalysis/wlp/usr /servers/Unity/resources/security/key.jks -alias SolrCert123 -file <HOME>/solrConfigs/solr_ssl_shared.cer
If a warning is shown that the alias already exists, then rerun the command with an alternative alias name of your choice.
- 6. Restart Log Analysis
- Run the following command to restart Log Analysis.
<HOME>/IBM/LogAnalysis/utilities/unity.sh -restart