Replacing the default SSL certificate for the Device, Alert, or Web server with a self-signed certificate

To replace the default SSL certificate for the Device, Alert, or Web server, with a self-signed, use the Keytool cmd.

About this task

If you have strong security requirements, you can replace the default certificate for the web server, with a certificate from an external certificate authority so that you can securely connect to the web server while you use the https protocol. When you replace the existing certificate, it can remove web browser certificate error warnings.

Procedure

  1. Log on to the server where IBM Spectrum Control is installed. Ensure that you log on with the appropriate user privileges.
  2. Open the /jre/bin directory where IBM Spectrum Control is installed.
  3. Java comes with a utility named keytool in its bin directory that you can use to create and edit keystore files. To create a new keystore, complete the following steps: Enter the keytool command.
    For Windows operating system, enter the following command:
    keytool.exe
    For AIX® or Linux® operating system, enter the following command:
    ./keytool
  4. Complete the following tasks:
    1. Enter the following command to export the default SSL certificate from the device server keystore.
      For Windows operating system, enter the following command:
      keytool.exe -exportcert -alias default 
      -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where, device_server_keystore_password is the device server keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -exportcert -alias default 
      -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert 
      Where device_server_keystore_password is the device server keystore password and he default value for this password is default.
    2. Enter the following command to export the default SSL certificate from the Device server keystore.
      For Windows operating system, enter the following command:
      keytool.exe -exportcert -alias default 
      -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -exportcert -alias default 
      -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
    3. Enter the following command to export the default SSL certificate from the device server keystore.
      For Windows operating system, enter the following command:
      keytool.exe -exportcert -alias default 
      -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -exportcert -alias default 
      -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
      -storepass device_server_keystore_password -file deviceServer.cert
      Where device_server_keystore_password is the device server keystore password and the default value for this password is default.
  5. Complete the following tasks to delete the previous IBM Spectrum Control Certificate:
    1. Enter the following command to delete the previous IBM Spectrum Control Device server SSL certificate from the IBM Spectrum Control.
      For Windows operating system, enter the following command:
      keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storepass 
      keystore_password
      Where, keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default..
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 
      -storepass keystore_password
      Where, data_collector_keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is changeit.
    2. Enter the following command to delete the previous IBM Spectrum Control Alert server SSL certificate from the IBM Spectrum Control data collector trusted certificates.
      For Windows operating system, enter the following command:
      keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\alertServer\resources\security\key.p12" -storepass 
      keystore_password
      Where, keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -delete -alias deviceServer -keystore installation_dir/wlp/usr/servers/alertServer/resources/security/key.p12  
      -storepass keystore_password
      Where keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is default.
    3. Enter the following command to delete the previous IBM Spectrum Control web server SSL certificate from the IBM Spectrum Control.
      For Windows operating system, enter the following command:
      keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\webServer\resources\security\key.p12" -storepass 
      keystore_password
      Where, keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is changeit.
      For AIX® or Linux® operating system, enter the following command:
      ./keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/webServer/resources/security/key.p12 
      -storepass keystore_password
      Where, keystore_password is the IBM Spectrum Control web server keystore password and the default value for this password is default.
  6. Create a keystore by using the following command (replace the italicized options in the following examples with the options for your keystore):
    keytool –genkey –alias <keystore_alias> -keyalg <encryption_algorithm>
    –keystore <path_to_the_keystore_being_created> –keysize <size_of_encryption_key> -validity 365
    For example:
    keytool –genkey –alias default -keyalg RSA –keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" –keysize 2048 -validity 365
  7. When you are prompted, type a password for the keystore that you are creating.
    Note: This password is required when you replace the keystore on the management node and for each subsequent keytool command that you run against the created keystore.
  8. When you are prompted, type your organization and location information.
  9. When you are prompted, type a password for the keystore alias.
    Note: The keystore alias password can be the same as the previous password that you created.
  10. Stop and start the device, alert, or web server.