Replacing WebSphere Application Server Network Deployment certificates

To replace a certificate before it expires, or to use your own certificate, you can replace an IBM® WebSphere® Application Server Network Deployment certificate by specifying a different certificate for each node.

About this task

In clustered IBM InfoSphere® Information Server installations, all signer certificates must be stored in the CellDefaultTrustStore truststore. In stand-alone InfoSphere Information Server installations, all signer certificates must be stored in the NodeDefaultTrustStore truststore. These trust stores are the default locations for WebSphere Application Server Network Deployment signer certificates.

In WebSphere Application Server, Version 6.1, when certificates expire or if the nodes are out of synchronization, you can replace a certificate by completing the steps in the following technote: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21305596. Although WebSphere Application Server, Version 6.1 is not supported in this release of InfoSphere Information Server, the example in this technote is still valid for manually replacing SSL certificates.

In WebSphere Application Server, Version 8.5.5.1, you can renew certificates. WebSphere Application Server generates a new certificate that replaces the old certificate.

Alternatively, you can replace a certificate with your own certificate, or you can use a certificate signed by a certificate authority. Refer to the WebSphere Application Server documentation for details.

Procedure

  1. Log in to the WebSphere Application Server administrative console.
  2. Run the following script to start the application server:
    Operating system Script
    AIX® Solaris MetadataServer.sh
    Linux® MetadataServer.sh
    Windows MetadataServer.bat
  3. Use the startManager command to start the deployment manager.
  4. Renew or replace the WebSphere Application Server certificate.
    See the WebSphere Application Server documentation for more information on how to renew the certificate:
  5. Stop and restart all IBM WebSphere Application Server Network Deployment processes. For more information about restarting application server processes, see Restarting application server processes.
  6. Retrieve the signer certificate for the WebSphere Application Server client trust store. If the WebSphere Application Server client trust store does not include a signer certificate, the application server might fail.

    By default, WebSphere Application Server prompts you to accept the certificate if it is not trusted when you run the WebSphere Application Server command line utility, such as the serverStatus command or the stopServer command. Ensure that you accept the certificate before you stop or start WebSphere Application Server by using any other application, such as Microsoft Windows Services.

    See the WebSphere Application Server documentation for more information on retrieving the signer certificate and establishing trust for your certificate:

    • For Version 8.5.5.1, go to the WebSphere Application Server information center and read Secure installation for client signer retrieval in SSL.

What to do next

Run the UpdateSignerCerts tool on the client tiers, engine tiers, and services tiers. For more information, refer to Running UpdateSignerCerts after enabling SSL or changing SSL settings.