Adding an SSL certificate to the TIP / WebSphere

By Hari Vittal

Requesting a certificate

There are 2 ways to do this:

  1. Through WebSphere Administrative Console (WAC) in TIP
  2. Through iKeyMan located in /t/IBM/tivoli/tipv2/bin/ikeyman.sh

The former is the easier method of the two however both of these methods are detailed below:
 

  • If you choose to do it through WAC then follow these steps:
  1. Login to TIP using ‘tipadmin’ or an equivalent user with admin rights.
  2. Click on Settings > WebSphere Administrative Console and ‘Launch WAC’
  3. Navigate to Security > SSL certificate and key management
  4. Click ‘Key stores and certificates’ on the right hand side menu
  5. Click on ‘NodeDefaultKeyStore’ and then ‘Personal certificate requests’ under the Additional Properties section

        IMG001

6. Click on ‘New’ button at the top of the toolbar and fill out the appropriate details.

        IMG002

    Click ‘OK’, you will then need to Save it to the master configuration

        IMG003

    The file will be saved on the server in the location you specified in this request. The CSR will look something like:

        IMG004

 7.Send this file to an authorized signer of your choice and in return you will receive the certificate for your server.

  • If you choose to do it through iKeyMan then follow these steps:

1.Login to the TIP server and navigate to $TIP_HOME/bin 
    ($TIP_HOME is normally /opt/IBM/tivoli/tip |tipv2)

2.Run ./ikeyman.sh

3.The iKeyMan console will open, click on ‘Key Database File’ and ‘New’ (assuming you haven’t

   already created a KeyStore database)

    IMG005

   Click ‘OK’ 

4.You will now be prompted for a password for the KeyStore

   IMG006

   Please make sure that you remember this password, as this will be required when you import the

   certificate into the server.

   Click ‘OK’

5.Now select ‘Personal Certificate Request’ from the drop down menu and click ‘New’

6.You will now be prompted to enter the details for the certificate along with where to store the CSR in

   the server

    IMG007

   Click ‘OK’ when finished.

7.Send this file to an authorized signer of your choice and in return you will receive the certificate for

   your domain

Adding the certificate into TIP / WebSphere:

1.Log on to TIP

2.Click on Settings > WebSphere Administrative Console and ‘Launch WAC’

3.Navigate to Security > SSL certificate and key management

4.Click Key stores and certificates

5.Click on NodeDefaultKeyStore > Signer certificates

6.Click Add

   IMG008

     Enter Alias and root .CER file location on server and select ‘Binary DER data’

7.Click ‘OK’

8.Click ‘Add’ again

9.Enter Alias and intermediate .CER file location on server and select ‘Binary DER data’. Click ‘OK’

   and now click ‘Save to master changes

    IMG009

    N.B.: ‘root’ and ‘intermediate’ (if provided) are given by signers.

10.Navigate back to ‘NodeDefaultKeyStore’ page and click on ‘Personal Certificates’

11.If you requested through WAC, then Click ‘Receive from a certificate authority’ and point it the .CER

    file you created for your domain on the server and select ‘Binary DER data’

    N.B. For this to work you should have the CSR NodeDefaultKeyStore when you requested for

    certificate  – if this is the case then skip to Step 21.

12.If you requested through iKeyMan, then you will need to go back to iKeyMan console 

    $TIP_HOME/bin/ikeyman.sh  ($TIP_HOME is normally /opt/IBM/tivoli/tip |tipv2)

      IMG010

    Click on Key Database File and select the location of the Key Database you stored the certificate request on.

    IMG011

13.Click ‘OK’ and enter password.

14.Click on ‘Signer Certificate’ from the drop down list

15.Click ‘Add’ and select the root certificate provided by your signer and click ‘OK’

      IMG012

16.Do the same for the intermediate certificate

17.In the ‘Personal Certificate Requests’ you should see the request you made stored, if this is the

    case then click on ‘Personal Certificates’

18.Click on ‘Receive’ and select the <yourdomain>.cer file that you created with content provided by

     your signer

      IMG013

     Click OK and you should now see something similar to this:

       IMG014

     You can now close this window and return to WAC page in TIP

     management > Key stores and certificates > NodeDefaultKeyStore

20. Click on ‘Personal Certificates’ and click on Import and you will see something similar to this:

       IMG015

     Select the ‘Key store file’ button and specify the path name of the key store database you used in

     iKeyMan and select CMSKS as Type and the password for the KeyStore

     And then press ‘Get Key File Aliases’

You will now see your certificate in the ‘Certificate alias to import’ list. Enter an alias in the Imported certificate alias section and click ‘OK’

21. Click ‘OK’ and now click ‘Save to master changes

       IMG016

22. When TIP is installed and security is enabled, by default there is a certificate issued to the hostname of the sever in which it was installed. This should be list in Personal Certificates with alias ‘default’

      IMG017

    Select the checkbox next to this and click ‘Replace’ button

    Select the new imported certificate in ‘Replace with’ section and check the ‘Delete old certificate after replacement ‘ and ‘Delete old signers’

    Click ‘OK’ and once again ‘Save’ to Master Configuration.
 

23. Once all these steps are done, log out of the TIP/ WAS and restart the server. You may receive a

     dialog box requesting to confirm for the new certificate to be added to the KeyStore. Press ‘Yes’ to

     confirm and the server will stop.

SSL set up is now complete.

Hits: 71