Troubleshooting
Problem
The default WebSphere SSL Certificate expires after 365 days. For a backup or HA cold-standby Services Teir system you may not notice that the certificate has expired until you attempt to use the fallback option.
Resolving The Problem
It is not possible to extend the expiration of the existing certificate, as that would be a violation of the integrity of the certificate. That leaves two possible alternatives:
- Renew the default certificate annually using the WebSphere renewal process. That process is documented in the WebSphere Knowledge Center. For example for WAS ND 8.5.5 see: http://www-01.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_7renewcecacert.html?lang=en
- Replace the default certificate with a new chained certificate that has a longer expiration period. That process is documented in WebSphere TechNote # 1654278: http://www-01.ibm.com/support/docview.wss?uid=swg21654278
If you choose the latter, replacing the default certificate, note that the the expiration is set in the 'Validity period' field in the new certificate during step number 5 of the process in the TechNote. You will still need to renew or replace the certificate after the specified expiration, but you can set the expiration for a much longer period, up to 7300 days (20 years). This allows for less frequent replacements.
For the other fields in the replacement certificate you may copy the information from the existing default certificate, or adjust as appropriate for your environment.
In either case, whether you renew or replace the default certificate, you may need to accept the new certificate into the WebSphere and Information Server truststores. If such an update is required, the first time you run the WebSphere command line tools (wasadmin, stopServer, startServer, et cetera), or the IIS command line tools, you will be asked to accept the new certificate. It is possible to preemptively update the certificate in the IIS truststores with the UpdateSignerCerts command. For each ASBNode or ASBServer, run the following UpdateSignerCerts command to update the truststores with the new certificate:
<IIS_home_path>/ASBServer/bin/UpdateSignerCerts[.sh|.bat] -url https://{hostname:port} -user IIS_admin_user -password IIS_admin_password
<IIS_home_path>/ASBNode/bin/UpdateSignerCerts[.sh|.bat] -url https://{hostname:port} -user IIS_admin_user -password IIS_admin_password
Note: Each command mentioned in the proceeding section will have a shell (.sh) extension on Linux / UNIX-based platforms, and a batch (.bat) extension on Windows-based platforms.
Related Information
[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.3;11.5;9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21974440