IBM Support

Replacing the Default Security Certificate for IBM Support Assistant Team Server

Product Documentation


Abstract

A default SSL Certificate will be contained in the WebSphere Liberty Application Server for an initial installation of IBM Support Assistant Team Server.

This documentation will describe how to replace the default certificate to provide installation-appropriate identification and avoid browser security warnings. The detailed steps for various platforms and scenarios are beyond the scope of this document. This guidance will be general and provide a starting point for searching publicly available references.

Content

Introduction:

IBM Support Assistant (ISA) ships configured for WebSphere Liberty to generate an SSL self-signed certificate for CN = localhost, OU = isa, O = ibm, C = us.  This is likely to result in browser warnings due to the self-signed certificate.  The attached screen-capture represents a common warning.
Even in the case where a security exception is accepted by a connecting client, there is likely to remain a browser certificate warning reminding that the connection is not secure.  This will be unacceptable for certain deployments.

Overview:

There are two files that are important when configuring the certificate for your ISA Application Server.
  1. server.xml
  2. key.p12
The server.xml file is found in the root directory of the ISA Application Server under WebSphere Liberty.  The server.xml files contains the obfuscated password for the key.p12 file.  WebSphere Liberty provides a securityUtility tool that can be used to obfuscate plain text passwords for the server.xml file.
The key.p12 file is found in the ./resources/security/ directory under the ISA Application Server.  The key.p12 file contains the certificate presented when clients connect to the ISA Application Server
The general process for configuring the certificate for ISA is:
  1. Create a key.p12 file with the desired certificate
  2. Obfuscate the password using the WebSphere Liberty securityUtility tool
  3. Replace the existing obfuscated password in the ISA server.xml file.

Detailed Steps:

The following details explain in general terms the steps necessary to configure the ISA Application Server Certificate as described above
  1. Open a command prompt window at the root directory of the IBM Support Assistant installation
  2. Ensure the ISA Server is stopped by using the ./ISA5/stopServer script
  3. Find the ISA Application Server root directory under WebSphere Liberty at ./ISA5/wlp/usr/servers/isa
  4. From the ISA Application Server root directory, find the ./server.xml and ./resources/security/key.p12 files
  5. Using your preferred key management utility, create a new key.p12 containing the desired certificate and obfuscate the password using the  securityUtility tool
  6. Change the password in the ./server.xml file and replace the ./resources/security/key.p12 file with the new version
  7. Restart the ISA Server using the ./ISA5/startServer script
  8. Verify the desired certificate by inspecting the certificate presented when connecting to https://localhost:10943/isa5/ or using the appropriate remote hostname.

Original Publication Date

20 September 2019

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSLLVC","label":"IBM Support Assistant"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"Team Server","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
26 September 2019

UID

ibm11074342

Page Feedback