Replacing the default SSL certificate for the Device, Alert, or Web server with a certificate from an external certificate authority
To replace the default SSL certificate for the device, alert, or web server, with a certificate from an external certificate authority, use the Keytool cmd.
About this task
If you have strong security requirements, you might want to replace the default certificate for the Web server, with a certificate from an external certificate authority so that you can securely connect to the Web server while you use the https protocol. When you replace the existing certificate, it can remove web browser certificate error warnings.
Procedure
- Log on to the server where IBM Spectrum Control is installed. Ensure that you log on with the appropriate user privileges.
-
Open the
/jre/bin
directory where IBM Spectrum Control is installed. - Java comes with a utility named keytool in its bin directory that you can use to create
and edit keystore files. To create a new keystore, complete the following steps: For Windows operating system, enter the following command:
For AIX® or Linux® operating system, enter the following command:keytool.exe
./keytool
- Complete the following tasks:
- Enter the following command to export the default SSL certificate from the device
server keystore. For Windows operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default.keytool.exe -exportcert -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
For AIX® or Linux® operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and he default value for this password is default../keytool -exportcert -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
- Enter the following command to export the default SSL certificate from the device
server keystore. For Windows operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default.keytool.exe -exportcert -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
For AIX® or Linux® operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and he default value for this password is default../keytool -exportcert -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
- Enter the following command to export the default SSL certificate from the device
server keystore. For Windows operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default.keytool.exe -exportcert -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
For AIX® or Linux® operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and he default value for this password is default../keytool -exportcert -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
- Enter the following command to export the default SSL certificate from the device
server keystore.
- Complete the following tasks to delete the previous IBM Spectrum Control certificate:
- Enter the following command to delete the previous IBM Spectrum Control Device server
SSL certificate from the IBM Spectrum Control For Windows operating system, enter the following command:
Where keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storepass keystore_password
For AIX or Linux operating system, enter the following command:
Where data_collector_keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is changeit../keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storepass keystore_password
- Enter the following command to delete the previous IBM Spectrum Control Alert server
SSL certificate from the IBM Spectrum Control data collector trusted certificates.ol For Windows operating system, enter the following command:
Where keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\alertServer\resources\security\key.p12" -storepass keystore_password
For AIX or Linux operating system, enter the following command:
Where keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is default../keytool -delete -alias deviceServer -keystore installation_dir/wlp/usr/servers/alertServer/resources/security/key.p12 -storepass keystore_password
- Enter the following command to delete the previous IBM Spectrum Control Web server SSL
certificate from the IBM Spectrum Control For Windows operating system, enter the following command:
Where data_collector_keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is change it.keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\webServer\resources\security\key.p12" -storepass keystore_password
For AIX or Linux operating system, enter the following command:
Where keystore_password is the IBM Spectrum Control web server keystore password and the default value for this password is default../keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/webServer/resources/security/key.p12 -storepass keystore_password
- Enter the following command to delete the previous IBM Spectrum Control Device server
SSL certificate from the IBM Spectrum Control
- Enter a unique value in the Key Label field and provide values for the other fields.
- Create a keystore by using the following command (replace the italicized options in the
following examples with the options for your
keystore):
For example:keytool –genkey –alias <keystore_alias> -keyalg <encryption_algorithm> –keystore <path_to_the_keystore_being_created> –keysize <size_of_encryption_key>
keytool –genkey –alias default -keyalg RSA –keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" –keysize 2048
Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer. - When you are prompted, type a password for the keystore that you are creating. Note: This password is required when you replace the keystore on the management node and for each subsequent keytool command that you run against the created keystore.
- When you are prompted, type your organization and location information.
- When you are prompted, type a password for the keystore alias. Note: The keystore alias password can be the same as the previous password that you created.
- After the keystore has been created, use the following command to issue a Certificate
Signing Request (CSR) for the keystore (replace the italicized options in the following examples
with the options for your keystore):
keytool -certreq -alias <keystore_alias> -keystore <path_to_the_keystore> -file <path_to_the_csr_file_being_created>
For example:keytool -certreq -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -file mydomain.csr
Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer. - The Certificate Signing Request that you generated can be submitted to a CA to create a
certificate signed by the CA. Send the certificate-signing request file to the CA; see the CA
website for specific instructions about requesting a new certificate. You can request either a test
certificate or a production certificate from the CA. However, in a production environment, you must
request a production certificate. Important: Before completing the following steps, the signed certificates must be returned from the CA.
- Install the CA root and any intermediate certificates into the keystore; then, install
the generated server certificate into the keystore. These certificates can be acquired from the CA
used to generate the server certificate.
- To install root and intermediate certificates (start with the root certificate
first), run the following command (replace the italicized options in the following examples with the
options for your
keystore):
For example:keytool -import -trustcacerts -alias <root_certificate_alias> -file <path_to_the_root_certificate> -keystore <path_to_the_keystore>
Where root.crt is the CA root or intermediate certificate and key.jks is the name of the previously generated keystore.keytool -import -trustcacerts -alias root -file root.crt -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12"
Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer. - When you are prompted, select to trust the certificate being installed.
- Repeat steps a and b for each certificate in the certificate chain.
- Import the server certificate that was returned from the CA by running the following
command (replace the italicized options in the following examples with the options for your
keystore):
For example:keytool -import -trustcacerts -alias <server_certificate_alias> -file <path_to_server_certificate> -keystore <path_to_the_keystore>
Where the alias used is the alias for the server certificate, and the file provided is the server certificate file.keytool -import -trustcacerts -alias default -file mydomain.crt -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12"
Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
- To install root and intermediate certificates (start with the root certificate
first), run the following command (replace the italicized options in the following examples with the
options for your
keystore):
- Stop and start the device, alert, or web server.