renewing SSL certificate for portal

 2 Replies
 3 Subscribed to this topic
 27 Subscribed to this forum
Sort:
Author
Messages
prescientdba
New Member
Posts: 1
New Member

    I am looking for assistance (guidance) with an SSL certificate renewal procedures. Our SSL cert for our Lawson portal is due to expire on 10/30/2015. We have never done a SSL cert renewal on Websphere before (total noobies). Does anyone have step-by-step directions on how to do this? Our environment is one application server(Websphere, portal, etc.) with one database server. Any assistance you can provide would be greatly appreciated.

    Tracy

    Leonard Courchaine
    Veteran Member
    Posts: 55
    Veteran Member
      Hi Tracy,
      The process of updating certs is *fairly* straightforward. I don't have an official step-by-step vendor document but I have my own documentation about what I did for our LSF environment. Email me and I can send you that. In any event, here are the basic steps that you need to do:
      IMPORTANT: First, back up ALL keystore files!! That would include running the WebSphere BackupConfig utility (to back up WebSphere and making a backup of the cacerts file (Java).
      1. Request updated certificate from your CA. To do this, you need to send them a certificate request using whichever tool you guys have/use for that. Depending on your setup, this could be an external CA or internal one. (Ours in internal)
      2. Basically, anywhere that you have a cert, that cert *must* be updated. So, in the case of LSF for us, this includes the following locations: WebSphere and Java.
      3. What we've done here is setup up a keystore, called lawson.kdb. That's what we do our requests out of using ikeyman. Then when the cert comes back you can add it there first.
      4. Then to update the certs in WebSphere, simply do an import from this file. It works great!
      5. I've found, over time, that the best way to update the Java cert is by using the keytool utility instead of trying to do it in, for example, ikeyman. For some reason, if you use tools other than keytool, the keyfile can get hosed a bit.
      6. If you have other things, like LBI and MSCM, it's basically the same procecure in that you need to update the certs in all places.
      Notes:
      1. Be sure that, in WebSphere and Java, you keep the exact same certificate name! For example, if the name (alias) of the certificate is server.sample.org be sure to use the exact same name when updating the cert, in other words don't change to server (without the hostname information).
      2. You can make all the changes while the system is up and then you need to restart Lawson/WAS for the changes to take effect.
      3. You might wonder what the "Update" option is for within WebSphere? I would have thought that using this would make it easy. Unfortunately this doesn't work for certificates generated with requests from other tools. In other words I understand that if you use WebSphere to generate your cert request then you can use this feature. I've played with that unsuccessfully.

      Holler if you have questions or want a phone conversation.
      Lenny
      prescientdba
      New Member
      Posts: 1
      New Member

        Lenny

         

        Just wanted to thank you for your assistance (sorry for the delay). We were able to get our certs renewed.

         

        Thanks again,

        Tracy