Example specified keystore paths by application server type.
ADMIN1 - /QIBM/UserData/OS/ADMININST/admin1/wlp/usr/servers/admin1/resources/security/key.jks
ADMIN2 - /QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/resources/security/key.jks
ADMIN3 - /QIBM/UserData/OS/ADMININST/admin3/wlp/usr/servers/admin3/resources/security/key.jks
ADMIN5 - /QIBM/UserData/OS/ADMININST/admin5/wlp/usr/servers/admin5/resources/security/key.jks
IAS/IWS - /www/<server>/wlp/usr/servers/<server>/resources/security/key.jks
1) Open a web browser and go to the URL, http://<server>:2001/HTTPAdmin or https://<server>:2010/HTTPAdmin, to display the IBM Web Administration for i console web application.
If you are not prompted for a userID and password, execute the following CL command to ensure the ADMIN server is started:
STRTCPSVR *HTTP HTTPSVR(*ADMIN)
If you continue to experience issues accessing the IBM Web Administration for i console, please open a support case with IBM
here or call 1-800-IBM-SERV.
2) When prompted, sign in with a user profile containing *SECADM and *ALLOBJ explicit special authorities.
3) Click on Manage -> Application Servers and select your application server from the Server drop-down box.
4) Click on Manage Certificates under Tools on the left-hand menu.
5) Specify the keystore path used to configure TLS communications for the application server. Then, specify the password to the keystore and click the Next button to continue.
If you do not know this path, you can locate it by manually viewing the application's servers TLS configuration using the WRKLNK CL command.
ADMIN1 - /QIBM/UserData/OS/ADMININST/admin1/wlp/usr/servers/admin1/resources/security/admin-cust.xml
ADMIN2 - /QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/resources/security/admin-cust.xml
ADMIN3 - /QIBM/UserData/OS/ADMININST/admin3/wlp/usr/servers/admin3/resources/security/admin-cust.xml
ADMIN5 - /QIBM/UserData/OS/ADMININST/admin5/wlp/usr/servers/admin5/resources/security/admin-cust.xml
IAS/IWS - /www/<server>/wlp/usr/servers/<server>/server.xml
WRKLNK '/QIBM/UserData/OS/ADMININST/admin1/wlp/usr/servers/admin1/resources/security/admin-cust.xml'
Option 5 to display the file.
Example configuration line containing the IFS path to the keystore.
<keyStore id="KeyStoreByWebAdmin" location="/qibm/userdata/os/admininst/admin1/wlp/usr/servers/admin1/resources/security/key.jks" password="password" type="JKS"/>
6) Click the Import button to import a certificate into the keystore.
7) Select "Certificate from another keystore" and then select "Use Digital Certificate Manager (DCM) SYSTEM store". Then, enter the DCM *SYSTEM certificate store password and click the Next button.
8) Select the certificate aliases to be imported into the keystore you are managing. Then, click the Next button.
9) Review the import certificate summary and click the Finish button to complete the certificate import.
10) You should now see the new certificate displayed for the keystore path being managed.
Record the certificate alias name you would like to use for the application server.
NOTE: An alternative to manually editing the application server configuration file to change the serverKeyAlias to the recently imported certificate label, you can run the "Disable TLS" configuration wizard first and then run the "Configure TLS" wizard again specifying the existing keystore path and choosing the option to "Select an existing certificate" where you would select the recently imported certificate label and complete the wizard to implement the new certificate. Refer to the IBM Document, How To Configure ADMIN/Integrated Application Server/Integrated Web Service Application Servers for TLS Communications Using a Specified Keystore, for detailed information on executing the "Disable TLS" and "Configure TLS" configuration wizards.
1) Use WRKLNK to edit the configuration file for the application server instance to update the serverKeyAlias configuration attribute value to point to the newly imported certificate.
ADMINx application servers:
ADMIN1 - WRKLNK '/QIBM/UserData/OS/ADMININST/admin1/wlp/usr/servers/admin1/resources/security/admin-cust.xml'
ADMIN2 - WRKLNK '/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/resources/security/admin-cust.xml'
ADMIN3 - WRKLNK '/QIBM/UserData/OS/ADMININST/admin3/wlp/usr/servers/admin3/resources/security/admin-cust.xml'
ADMIN5 - WRKLNK '/QIBM/UserData/OS/ADMININST/admin5/wlp/usr/servers/admin5/resources/security/admin-cust.xml'
IAS/IWS - WRKLNK '/www/<server>/wlp/usr/servers/<server>/server.xml'
Execute the appropriate WRKLNK command and then enter option 2 to edit.
2) Locate the <ssl> XML element that is the closest to the bottom of the file. If there are multiple <ssl> elements, you can edit all of them or just the last one in the file. Then, locate the "serverKeyAlias" attribute and change the value to the new certificate alias name for the certificate you imported.
Example:
Original values:
<ssl id="SSLSettingsByWebAdmin" keyStoreRef="KeyStoreByWebAdmin" serverKeyAlias="qibm_app_server_admin1" sslProtocol="TLSv1.2" trustStoreRef="KeyStoreByWebAdmin"/>
After change to use the new certificate:
<ssl id="SSLSettingsByWebAdmin" keyStoreRef="KeyStoreByWebAdmin" serverKeyAlias="admin1_dcm_cert" sslProtocol="TLSv1.2" trustStoreRef="KeyStoreByWebAdmin"/>
3) Press F3 twice to save and exit after making the change to the serverKeyAlias value to point to the new certificate.
4) Restart your application server instance for the new certificate to take affect.
ENDTCPSVR SERVER(*IAS) INSTANCE(<appServerName>)
The 5250 session will be input inhibited until the application server ends.
STRTCPSVR SERVER(*IAS) INSTANCE(<appServerName>)
WRKACTJOB SBS(QHTTPSVR)
Wait for the application server JVM job to start and CPU utilization to go down to 0~1%.
5) The application server will now use the new certificate!
