Adding an SSL certificate to the TIP / WebSphere
By Hari Vittal
Requesting a certificate
There are 2 ways to do this:
- Through WebSphere Administrative Console (WAC) in TIP
- Through iKeyMan located in /t/IBM/tivoli/tipv2/bin/ikeyman.sh
The former is the easier method of the two however both of these methods are detailed below:
- If you choose to do it through WAC then follow these steps:
- Login to TIP using ‘tipadmin’ or an equivalent user with admin rights.
- Click on Settings > WebSphere Administrative Console and ‘Launch WAC’
- Navigate to Security > SSL certificate and key management
- Click ‘Key stores and certificates’ on the right hand side menu
- Click on ‘NodeDefaultKeyStore’ and then ‘Personal certificate requests’ under the Additional Properties section
6. Click on ‘New’ button at the top of the toolbar and fill out the appropriate details.
Click ‘OK’, you will then need to Save it to the master configuration
The file will be saved on the server in the location you specified in this request. The CSR will look something like:
7.Send this file to an authorized signer of your choice and in return you will receive the certificate for your server.
- If you choose to do it through iKeyMan then follow these steps:
1.Login to the TIP server and navigate to $TIP_HOME/bin
($TIP_HOME is normally /opt/IBM/tivoli/tip |tipv2)
3.The iKeyMan console will open, click on ‘Key Database File’ and ‘New’ (assuming you haven’t
already created a KeyStore database)
4.You will now be prompted for a password for the KeyStore
Please make sure that you remember this password, as this will be required when you import the
certificate into the server.
5.Now select ‘Personal Certificate Request’ from the drop down menu and click ‘New’
6.You will now be prompted to enter the details for the certificate along with where to store the CSR in
Click ‘OK’ when finished.
7.Send this file to an authorized signer of your choice and in return you will receive the certificate for
Adding the certificate into TIP / WebSphere:
1.Log on to TIP
2.Click on Settings > WebSphere Administrative Console and ‘Launch WAC’
3.Navigate to Security > SSL certificate and key management
4.Click Key stores and certificates
5.Click on NodeDefaultKeyStore > Signer certificates
Enter Alias and root .CER file location on server and select ‘Binary DER data’
8.Click ‘Add’ again
9.Enter Alias and intermediate .CER file location on server and select ‘Binary DER data’. Click ‘OK’
and now click ‘Save to master changes
N.B.: ‘root’ and ‘intermediate’ (if provided) are given by signers.
10.Navigate back to ‘NodeDefaultKeyStore’ page and click on ‘Personal Certificates’
11.If you requested through WAC, then Click ‘Receive from a certificate authority’ and point it the .CER
file you created for your domain on the server and select ‘Binary DER data’
N.B. For this to work you should have the CSR NodeDefaultKeyStore when you requested for
certificate – if this is the case then skip to Step 21.
12.If you requested through iKeyMan, then you will need to go back to iKeyMan console
$TIP_HOME/bin/ikeyman.sh ($TIP_HOME is normally /opt/IBM/tivoli/tip |tipv2)
Click on Key Database File and select the location of the Key Database you stored the certificate request on.
13.Click ‘OK’ and enter password.
14.Click on ‘Signer Certificate’ from the drop down list
15.Click ‘Add’ and select the root certificate provided by your signer and click ‘OK’
16.Do the same for the intermediate certificate
17.In the ‘Personal Certificate Requests’ you should see the request you made stored, if this is the
case then click on ‘Personal Certificates’
18.Click on ‘Receive’ and select the <yourdomain>.cer file that you created with content provided by
Click OK and you should now see something similar to this:
You can now close this window and return to WAC page in TIP
management > Key stores and certificates > NodeDefaultKeyStore
20. Click on ‘Personal Certificates’ and click on Import and you will see something similar to this:
Select the ‘Key store file’ button and specify the path name of the key store database you used in
iKeyMan and select CMSKS as Type and the password for the KeyStore
And then press ‘Get Key File Aliases’
You will now see your certificate in the ‘Certificate alias to import’ list. Enter an alias in the Imported certificate alias section and click ‘OK’
21. Click ‘OK’ and now click ‘Save to master changes
22. When TIP is installed and security is enabled, by default there is a certificate issued to the hostname of the sever in which it was installed. This should be list in Personal Certificates with alias ‘default’
Select the checkbox next to this and click ‘Replace’ button
Select the new imported certificate in ‘Replace with’ section and check the ‘Delete old certificate after replacement ‘ and ‘Delete old signers’
Click ‘OK’ and once again ‘Save’ to Master Configuration.
23. Once all these steps are done, log out of the TIP/ WAS and restart the server. You may receive a
dialog box requesting to confirm for the new certificate to be added to the KeyStore. Press ‘Yes’ to
confirm and the server will stop.
SSL set up is now complete.