Replacing the default SSL certificate for the Device, Alert, or Web server with a self-signed certificate
To replace the default SSL certificate for the Device, Alert, or Web server, with a self-signed, use the Keytool cmd.
About this task
If you have strong security requirements, you can replace the default certificate for the web server, with a certificate from an external certificate authority so that you can securely connect to the web server while you use the https protocol. When you replace the existing certificate, it can remove web browser certificate error warnings.
Procedure
- Log on to the server where IBM Spectrum Control is installed. Ensure that you log on with the appropriate user privileges.
-
Open the
/jre/bin
directory where IBM Spectrum Control is installed. -
Java comes with a utility named keytool in its bin directory that you can use to create and
edit keystore files. To create a new keystore, complete the following steps: Enter the keytool
command.
For Windows operating system, enter the following command:For AIX® or Linux® operating system, enter the following command:
keytool.exe
./keytool
- Complete the following tasks:
- Enter the following command to export the default SSL certificate from the device
server keystore. For Windows operating system, enter the following command:
Where, device_server_keystore_password is the device server keystore password and the default value for this password is default.keytool.exe -exportcert -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
For AIX® or Linux® operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and he default value for this password is default../keytool -exportcert -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
- Enter the following command to export the default SSL certificate from the Device
server keystore. For Windows operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default.keytool.exe -exportcert -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
For AIX® or Linux® operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default../keytool -exportcert -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
- Enter the following command to export the default SSL certificate from the device
server keystore. For Windows operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default.keytool.exe -exportcert -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
For AIX® or Linux® operating system, enter the following command:
Where device_server_keystore_password is the device server keystore password and the default value for this password is default../keytool -exportcert -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 -storepass device_server_keystore_password -file deviceServer.cert
- Enter the following command to export the default SSL certificate from the device
server keystore.
- Complete the following tasks to delete the previous IBM Spectrum Control
Certificate:
- Enter the following command to delete the previous IBM Spectrum Control Device server
SSL certificate from the IBM Spectrum Control. For Windows operating system, enter the following command:
Where, keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default..keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storepass keystore_password
For AIX® or Linux® operating system, enter the following command:
Where, data_collector_keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is changeit../keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storepass keystore_password
- Enter the following command to delete the previous IBM Spectrum Control Alert server
SSL certificate from the IBM Spectrum Control data collector trusted certificates. For Windows operating system, enter the following command:
Where, keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\alertServer\resources\security\key.p12" -storepass keystore_password
For AIX® or Linux® operating system, enter the following command:
Where keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is default../keytool -delete -alias deviceServer -keystore installation_dir/wlp/usr/servers/alertServer/resources/security/key.p12 -storepass keystore_password
- Enter the following command to delete the previous IBM Spectrum Control web server SSL
certificate from the IBM Spectrum Control. For Windows operating system, enter the following command:
Where, keystore_password is the IBM Spectrum Control data collector keystore password and the default value for this password is changeit.keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\webServer\resources\security\key.p12" -storepass keystore_password
For AIX® or Linux® operating system, enter the following command:
Where, keystore_password is the IBM Spectrum Control web server keystore password and the default value for this password is default../keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/webServer/resources/security/key.p12 -storepass keystore_password
- Enter the following command to delete the previous IBM Spectrum Control Device server
SSL certificate from the IBM Spectrum Control.
- Create a keystore by using the following command (replace the italicized options in the
following examples with the options for your
keystore):
For example:keytool –genkey –alias <keystore_alias> -keyalg <encryption_algorithm> –keystore <path_to_the_keystore_being_created> –keysize <size_of_encryption_key> -validity 365
keytool –genkey –alias default -keyalg RSA –keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" –keysize 2048 -validity 365
- When you are prompted, type a password for the keystore that you are creating. Note: This password is required when you replace the keystore on the management node and for each subsequent keytool command that you run against the created keystore.
- When you are prompted, type your organization and location information.
- When you are prompted, type a password for the keystore alias. Note: The keystore alias password can be the same as the previous password that you created.
- Stop and start the device, alert, or web server.