The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration, by updating the APAR Fix : PK42863: 6.1.0.5 With this fix, a couple of things are being done to prevent service outages: 1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,resulting in "JSSL0080E SSL HandShake Execption".
How to create & add a new Signer certificates for existing profile.
Scope
This document is intended for web administrators & webmasters to prevent the server outage which is caused by the certificate expiry issue in websphere application server version 6.1.
Best-Practices/Learning
1. APAR Fix: PK42863 resolves the following problem: PROBLEM SUMMARYUSERS AFFECTED: All users of servers installed with IBM® WebSphere® Application Server version
6.1.PROBLEM DESCRIPTION: The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically. While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.
RECOMMENDATION: Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
For More Information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK42863
2. APAR Fix: PK36869: After automatic cert renewal DMGR cannot talk to Nodeagents. "JSSL0080E SSL HANDSHAKE EXECPTION"
Error description
In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents,
resulting in "JSSL0080E SSL HandShake Execption".
If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work
If WAS is running as a service on Windows platforms.
If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node.
As a work around, the user currently has to add manually the renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.
The error is produced as a direct result of automatice cert renewal. The renewed cert should be added to Cell and Node trust stores automatically.
Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659.
Local fix
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
RECOMMENDATION: Application Server was incorrectly processing the sequence of events that need to complete before the certificates are renewed and exchanged between the Deployment Manager and the Node Agent.
For more information: http://www-1.ibm.com/support/docview.wss?uid=swg1PK36869
3. How to create & add a new Signer certificates for existing profile.
Create new key.p12 keystore
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
Create Self Signed Cert
Alias:
Common Name:
Validity Period: 3650
Organization: xyz
Click OK
Extract certificate
SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates >
Certificate file name:
Data type: Base64-encoded ASCII data
Default location for file to be created is:
Import certificate created trust.p12
SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
Alias:
File Name:
Data type: Base64-encoded ASCII data
Copy trust.p12 and key.p12 to all the nodes
FROM:
TO:
/profiles/dmgr/config/cells/
Restart nodes and dmgr from command line. When prompted to accept certificate, accept the certificate.
Start dmgr
Sync nodes manually to dmgr. When prompted to accept certificate, accept the certificate.
8. SSL certificate and key management > SSL configurations > CellDefaultSSLSettings
Select the certificate that you created in the following drop downs:
Default server certificate alias
Default client certificate alias
Click ->Get Certificate Aliases
Click -> OK
9. SSL certificate and key management > Manage endpoint security configurations
NOTE: This is a similar process the needs to be completed for all nodes and cells, both inbound and outbound
Select Node Level:
Change
Certificate alias in key store: Certificate that you imported
Click -> Update Certificate Alias List
Click -> OK
Repeat for Node Level – Inbound and Outbound
Repeat for Cell Level – Inbound and Outbound
Conclusions
With this fix, a couple of things are being done to prevent service outages: 1. a prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold. 2. The default self-signed certificate life span is extended to 15 years. Note: this is only applicable for a profile which will be created after applying this APAR fix.
Application Server has been modified to, at cell profile creation time, create separate signer certificates in each keystore so that proper exchange can take place at certificate expiration amd renewal time. NOTE: this APAR does not handle profiles that have already been created. To address certificate expiration and renewal in Application Server with existing
Profiles, please reference the WebSphere Application Server flash "Possible client outage for WebSphere Application Server V6.1 if using default self-signed certificate expiration" and/or install WebSphere maintenance fix pack 6.1.0.7. The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.11. Please refer to the recommended updates page for delivery
Information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
No comments:
Post a Comment