Replacing the default SSL certificate for the Device, Alert, or Web server

To replace the default SSL certificate for the Device, Alert, or Web server, use the IBM® Key Management (iKeyman) utility.

About this task

If you have strong security requirements, you might want to replace the default certificate for the Web server so that you can securely connect to the Web server while you use the https protocol. When you replace the existing certificate, it can remove web browser certificate error warnings.

Tip: If you want to use a self-signed certificate, complete steps 1-6, sub steps a-g, and steps 7 and 8.

If you want to use a certificate signed by an external certificate authority, complete steps 1- 6, sub steps h-v, and steps 7 and 8.

Procedure

  1. Log on to the server where IBM Spectrum Control is installed. Ensure that you log on with the appropriate user privileges.
  2. Open the /jre/bin directory where IBM Spectrum Control is installed.
  3. Enter the iKeyman utility command.
    For Windows operating system, enter the following command:
    ikeyman.exe
    For AIX® or Linux® operating system, enter the following command:
     ./ikeyman
  4. Click Key Database File > Open.
  5. Complete the following tasks:
    1. Set the Key database type to PKCS12.
    2. In the File Name field, click Browse.

      To replace the default SSL certificate for the Device server, go to the installation_dir/wlp/usr/servers/deviceServer/resources/security/ directory, select the key.p12 file, and click Open.

      To replace the default SSL certificate for the Alert server, go to the installation_dir/wlp/usr/servers/alertServer/resources/security/ directory, select the key.p12 file, and click Open.

      To replace the default SSL certificate for the Web server, go to the installation_dir/wlp/usr/servers/webServer/resources/security/ directory, select the key.p12 file, and click Open.

    3. Click OK.
  6. On the Password Prompt page, type default, and click OK.
    The Personal Certificates list contains only the certificate with the default label.
    To replace the default certificate with a new self-signed certificate, complete the following tasks:
    1. Click New Self-Signed.
    2. On the Create New Self-Signed Certificate page, enter a unique value in the Key Label field.
    3. Provide values for the other fields, and click OK.

      The list of Personal Certificates contains your new self-signed certificate with the label that you provided and the old self signed certificate with the default label.

    4. Select the old self signed certificate with the default label and click Rename.
    5. Enter a new label for the old self signed certificate, and click OK.
    6. Select the new self signed certificate and click Rename.
    7. Enter default as the new label, for the new self-signed certificate, and click OK.

      To replace the default certificate with a new certificate that is signed by an external certificate authority, complete the following tasks:

    8. In the iKeyman utility, select Create > New Certificate Request.
    9. Enter a unique value in the Key Label field and provide values for the other fields.
    10. Pay special attention to the value you provide in the Enter the name of a file in which to store the certificate request field and click OK.

      A message is displayed that informs you the location of the file that contains your new certificate request. You need to send the new certificate request file to your external certificate authority.

    11. On the Message page, click OK.

      The external certificate authority signs your new certificate request and sends back your new certificate. The external certificate authority might send their signer certificate or the external certificate authority might assume that you already have their signer certificate in the key database file.

      If the external certificate authority sends their signer certificate, complete the following tasks:

    12. Select Signer Certificates and click Add.
    13. Provide the File Name and Location values of the file that contains the Signer Certificate and click OK.
    14. Enter a label for the signer certificate, and click OK.

      If the external certificate authority assumes that you already have their signer certificate in the key database file, complete the following tasks:

    15. Select Signer Certificates and click Populate.
    16. Search the lists of CA Certificates, select the one or the ones for the external certificate authority that signed your new certificate request, and click OK.

      If the lists of CA Certificates do not contain the one(s) for the external certificate authority that signed your new certificate request, ask your external certificate authority to send their signer certificate.

      After you have the signer certificate for the external certificate authority in the keystore, complete the following tasks to receive the new certificate signed by the external certificate authority:

    17. Select Personal Certificates and click Receive.
    18. Provide the File Name and Location values of the file that contains your new certificate from the external certificate authority and click OK.
    19. Select the old self-signed certificate with the default label and click Rename.
    20. Enter a new label for the old self-signed certificate and click OK.
    21. Select your new certificate from the external certificate authority and click Rename.
    22. Enter default as the new label for the new certificate from the external certificate authority and click OK.
  7. In the iKeyman utility, click Key Database File > Exit.
  8. Stop and start the Device, Alert, or Web server.