IBM Support

Renew the expiring certificates for Maximo 7.5 / 7.6 from WebSphere 7 / 8.5.5

Technical Blog Post


Abstract

Renew the expiring certificates for Maximo 7.5 / 7.6 from WebSphere 7 / 8.5.5

Body

If you are using an older fix pack level of WebSphere 7 or 8.5.5 (WebSphere 7.0.0.34 / 8.5.5.3 or earlier) and experienced an outage due to expired default certificates, first thing you will need to do is to renew them. Default WebSphere certificates should be renewed automatically. However, in some cases they were not.

 

"When certificate expiration monitor finds expired certificate, it examines if the certificate is signed by WebSphere Application Servers root certificate or not. If it is signed by its root, the expired certificate is renewed and it replaces the expired one. In the case where a root certificate is chained certificate, WebSphere incorrectly thinks expired certificate is not signed by WebSphere even though it is, and does not renew or replace it."

 

From the Systemout.log file of the nodeagent and deployment manager, you will see the same traces below.

 

[3/14/16 7:22:20:332 PDT] 0000007d WSX509TrustMa E   CWPKI0312E: The certificate with subject DN CN=MXSYSTEMS, OU=ctgNodeCell01, OU=ctgNode01, O=IBM, C=US has an end date Mon Jan 11 11:17:18 PST 2016 which is no longer valid.
[3/14/16 7:22:20:336 PDT] 0000007d ORBRas        E com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl createSSLSocket Thread-135 JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security.  Reason: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016 javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

...

Caused by: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

...

Caused by: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

...

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

 

This issue was identified by WebSphere as APAR PI14178: CERTIFICATE MONITOR DID NOT RENEW CHAINED CERTIFICATE ( NOT IBM DEFAULT CHAINED CERTIFICATE) and has been fixed in WebSphere fix pack versions 7.0.0.35 and 8.5.5.4 or later.

 

IBM supports recommends using WebSphere 7.0 Fix Pack 35 or higher with Java SDK 1.6.0 SR12 Cumulative Fix with Maximo and Control Desk

 

/support/pages/node/197777

 

If an immediate fix is needed, then manually renewing the expired certificates is the solution.

 

Manually Renewing Certificates

 

  1. From WebSphere console, navigate to Security > SSL certificate and key management > Key stores and certificates.

    image

     
  2. Click CellDefaultKeyStore and NodeDefaultKeyStore, then go to Personal Certificates. If you have multiple nodes, you will have to do the same steps for all the nodes key store.
  3. Select the check box and click the Renew button.

    image
     
  4. Restart the WebSphere deployment manager and synchronize the nodes.

 

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11131267