Replacing the default SSL certificate for the Device, Alert, or Web server with a certificate from an external certificate authority

To replace the default SSL certificate for the device, alert, or web server, with a certificate from an external certificate authority, use the Keytool cmd.

About this task

If you have strong security requirements, you might want to replace the default certificate for the Web server, with a certificate from an external certificate authority so that you can securely connect to the Web server while you use the https protocol. When you replace the existing certificate, it can remove web browser certificate error warnings.

Procedure

  1. Log on to the server where IBM Spectrum Control is installed. Ensure that you log on with the appropriate user privileges.
  2. Open the /jre/bin directory where IBM Spectrum Control is installed.
  3. Java comes with a utility named keytool in its bin directory that you can use to create and edit keystore files. To create a new keystore, complete the following steps:
    For Windows operating system, enter the following command:
    keytool.exe
    For AIX® or Linux® operating system, enter the following command:
    ./keytool
  4. Complete the following tasks:
    1. Enter the following command to export the default SSL certificate from the device server keystore.
      For Windows operating system, enter the following command:
      keytool.exe -exportcert -alias default 
      -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -exportcert -alias default 
      -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert 
      Where device_server_keystore_password is the device server keystore password and he default value for this password is default.
    2. Enter the following command to export the default SSL certificate from the device server keystore.
      For Windows operating system, enter the following command:
      keytool.exe -exportcert -alias default 
      -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -exportcert -alias default 
      -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert 
      Where device_server_keystore_password is the device server keystore password and he default value for this password is default.
    3. Enter the following command to export the default SSL certificate from the device server keystore.
      For Windows operating system, enter the following command:
      keytool.exe -exportcert -alias default 
      -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -exportcert -alias default 
      -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and he default value for this password is default.
  5. Complete the following tasks to delete the previous IBM Spectrum Control certificate:
    1. Enter the following command to delete the previous IBM Spectrum Control Device server SSL certificate from the IBM Spectrum Control
      For Windows operating system, enter the following command:
      keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storepass 
      keystore_password
      Where keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.
      For AIX or Linux operating system, enter the following command:
      ./keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 
      -storepass keystore_password
      Where data_collector_keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is changeit.
    2. Enter the following command to delete the previous IBM Spectrum Control Alert server SSL certificate from the IBM Spectrum Control data collector trusted certificates.ol
      For Windows operating system, enter the following command:
      keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\alertServer\resources\security\key.p12" -storepass 
      keystore_password
      Where keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.
      For AIX or Linux operating system, enter the following command:
      ./keytool -delete -alias deviceServer -keystore installation_dir/wlp/usr/servers/alertServer/resources/security/key.p12  
      -storepass keystore_password
      Where keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is default.
    3. Enter the following command to delete the previous IBM Spectrum Control Web server SSL certificate from the IBM Spectrum Control
      For Windows operating system, enter the following command:
      keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\webServer\resources\security\key.p12" -storepass 
      keystore_password 
      Where data_collector_keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is change it.
      For AIX or Linux operating system, enter the following command:
      ./keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/webServer/resources/security/key.p12 
      -storepass keystore_password
      Where keystore_password is the IBM Spectrum Control web server keystore password and the default value for this password is default.
  6. Enter a unique value in the Key Label field and provide values for the other fields.
  7. Create a keystore by using the following command (replace the italicized options in the following examples with the options for your keystore):
    keytool –genkey –alias <keystore_alias> -keyalg <encryption_algorithm>
    –keystore <path_to_the_keystore_being_created> –keysize <size_of_encryption_key> 
    For example:
    keytool –genkey –alias default -keyalg RSA –keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" –keysize 2048
    Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
  8. When you are prompted, type a password for the keystore that you are creating.
    Note: This password is required when you replace the keystore on the management node and for each subsequent keytool command that you run against the created keystore.
  9. When you are prompted, type your organization and location information.
  10. When you are prompted, type a password for the keystore alias.
    Note: The keystore alias password can be the same as the previous password that you created.
  11. After the keystore has been created, use the following command to issue a Certificate Signing Request (CSR) for the keystore (replace the italicized options in the following examples with the options for your keystore):
    keytool -certreq -alias <keystore_alias> -keystore <path_to_the_keystore> 
    -file <path_to_the_csr_file_being_created>
    For example:
    keytool -certreq -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -file mydomain.csr
    
    
    Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
  12. The Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. Send the certificate-signing request file to the CA; see the CA website for specific instructions about requesting a new certificate. You can request either a test certificate or a production certificate from the CA. However, in a production environment, you must request a production certificate.
    Important: Before completing the following steps, the signed certificates must be returned from the CA.
  13. Install the CA root and any intermediate certificates into the keystore; then, install the generated server certificate into the keystore. These certificates can be acquired from the CA used to generate the server certificate.
    1. To install root and intermediate certificates (start with the root certificate first), run the following command (replace the italicized options in the following examples with the options for your keystore):
      keytool -import -trustcacerts -alias <root_certificate_alias> -file 
      <path_to_the_root_certificate> -keystore <path_to_the_keystore>
      For example:
      keytool -import -trustcacerts -alias root -file root.crt -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12"
      Where root.crt is the CA root or intermediate certificate and key.jks is the name of the previously generated keystore.
      Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
    2. When you are prompted, select to trust the certificate being installed.
    3. Repeat steps a and b for each certificate in the certificate chain.
    4. Import the server certificate that was returned from the CA by running the following command (replace the italicized options in the following examples with the options for your keystore):
      keytool -import -trustcacerts -alias <server_certificate_alias> -file 
      <path_to_server_certificate> -keystore <path_to_the_keystore>
      For example:
      keytool -import -trustcacerts -alias default 
      -file mydomain.crt -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12"
      Where the alias used is the alias for the server certificate, and the file provided is the server certificate file.
      Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
  14. Stop and start the device, alert, or web server.