SSL certificate expiration mails on WebSphere

July 29, 2010
by admin
0 comments

In WebSphere you have a SSL certification expiration checker. This
mechanism monitors the expiration dates of all the SSL certificates
that are configured in WebSphere.

You can control how many days before the cert. expires WebSphere will
send a notification mail and in what frequency the check has to be performed.

Notification per mail need to be configured with a SMTP server an a recipient
address.

You also have the options “Automatically replace expiring self-signed certificates
and “Delete expiring certificates and signers after replacement“.

But in a Connections setup these two options will not take away any manual
work. If you got a Connections config with a IHS webserver in front you will always
have to export the new SSL key and import it into the plugin-cfg.kdb file
of the WAS-plugin on the IHS webserver. If you don’t do this the connection
between WebSphere and the IHS webserver will not work any longer.
Clients will be faced with 500 error pages when they want to visit Connections.

All things written above work perfectly, the only thing that doesn’t function the
way you want it is the sending of the notification mails.
The mails will be sent either the certification expires or not. With a notification
treshhold of 30 days and a Connections setup will multiple JVM servers
you will receive 11 mails of certifcates that aren’t about to expire every
30 days :-) .

Described behavior has been noted and is fixed in WAS version 6.1.0.27.

Check the technote.

If you don’t want to do a install a complete new fixpack we also got
our hands on the ifix. Which will not have that much impact on your
WAS install as a complete new Fixpack.

We now just renew the certs. of WebSphere to somewhere in the end
of 2020 and disable the SSL certificate check. This to get rid of installing
a fixpack or ifix for every LC installation and keeping this up to date.

The default expiration date for WebSphere it’s own SSL certificate
is one year, but my experience is that this can vary with every fixpack
level.

lotus connections

SSL certificates WebSphere and their expiration dates

June 9, 2009
by admin
0 comments

When installing Lotus Connections one of the tasks is to make a secure trust
between the WebSphere server and the IHS server. To do this you have to
configure SSL in such a way that the signer of the SSL certificate of the
WebSphere server is known by the IHS server.

You have to export the signer of the SSL cert of the WebSphere server and
then import this into the plugin-key.kdb file of the IHS server (WASplugin).

The SSL signer of the WebSphere server is standard valid for one year, after
the SSL cert experies the SSL connection will break. In case when using
Connections if this happens you will see a 500 error instead or your
Connections pages.

To prevent this you can monitor the expiration date of the SSL cert of the
WebSphere server. To do this login to the WAS admin console of the
Connection server.

  Goto : SSL certificate and key management -> Manage certificate expiration

Disable these two options standing below, my experience is that this isn’t workiing
that good, and maybe I just want to control everything myself :-)

  Automatically replace expiring self-signed certificates
  Delete expiring certificates and signers after replacement

Then goto

  SSL certificate and key management > Manage certificate expiration > Notifications > MessageLog

Check

  Message-log
  E-mail sent to notification list

Configure a mail address to sent the notification to and a SMTP server to use.

If this all is configured you will receive a mail every number of days that you have
configured in Expiration notification threshold attribute on the previous page.

For this to take effect you don’t have to restart the WebSphere server.

If it is time to renew you WebSphere cert you could do it this way.

Shutdown the WebSphere server

Startup the ikeyman utility on the WebSphere server
/opt/IBM/WebSphere/AppServer/bin # ./ikeyman.sh

Open the key.p12 SSL file remove the one with the label of default under Personal
certificates, and create an new Self Signed Certificate with the same label of default.

Then choose the Extract certificate button, and save it as an ARM file. Then you can
choose to import it into the trust.p12 yourself or let WebSphere take care of this.
When you start WebSphere it will automaticaly see that the cert in
the key.p12 is not in the Signer Certificates list of the trust.p12 file and will add it self.

As a last step you have to import the exported ARM file into the Signer Certificates
list of the plugin-key.kdb SSL kdb file. Just grep your ikeyman and get it done, do
a restart of the IHS server for the changes to take affect directly and you are save again.

ps. Currently doing some work with Sametime Gateway 8.0.2 and the Hotfix 1 for OCS
integration. Sametime Gateway then requires WAS fixpack 6.1.0.23, looks like they
changed the expiration dates from one year to fifteen years.

More info

IBM WebSphere Developer Technical Journal: SSL, certificate, and key management enhancements for even stronger security in WebSphere Application Server V6.1

lotus connections