![]() | |
|
When a WebSphere Application Server process starts for the first time, the Secure Sockets Layer (SSL) runtime initializes the default keystores and truststores that are specified in the SSL configuration.
The chained certificates created during profile creation have a 1 year life span by default. The default root certificate used to signer the default chained certificate has a life span of 15 years. The life span of the default and the root certificates can be customized during profile creation. An advantage in this type of chained certificate is that only the signer from the root certificate is needed to establish trust. When the chained certificate is regenerated with the same root certificate, clients using that root signer certificate for trust do not lose their trust.
Default keystore and truststore properties
WebSphere Application Server creates the key.p12
default keystore file and the trust.p12
default truststore file during profile creation. A default, chained certificate is also created in the
key.p12
file. The root signer, or public key, of the chained certificate is extracted from
the key.p12
file and added to the trust.p12
file. If the files do not exist during
process startup, they are recreated during startup.
You can easily identify keystore and truststore defaults because of their suffixes: DefaultKeyStore
and DefaultTrustStore
. Also, in the SSL configuration, you must set the fileBased
attribute
to true
so that the runtime uses the default keystores and truststores only.
On a base application server, default key and truststores are stored in the node directory of the configuration
repository. For example, the default key.p12
and trust.p12
stores are created with the
AppSrv01
profile name, the test317Cell01
name, and the exampleNode01
node
name. The key and truststores are located in the following directory:
test317:/ # test317:/ # cd /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/test317Cell01/nodes/exampleNode01 test317:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/test317Cell01/nodes/exampleNode01 # ls -l *p12 -rw-r--r-- 1 root root 1298 Jun 1 15:56 default-signers.p12 -rw-r--r-- 1 root root 1434 Jun 1 15:56 deleted.p12 -rw-r--r-- 1 root root 3746 Jun 1 15:58 key.p12 -rw-r--r-- 1 root root 2594 Jun 1 15:56 root-key.p12 -rw-r--r-- 1 root root 3690 Jun 1 15:56 rsatoken-key.p12 -rw-r--r-- 1 root root 2594 Jun 1 15:56 rsatoken-root-key.p12 -rw-r--r-- 1 root root 1298 Jun 1 15:56 rsatoken-trust.p12 -rw-r--r-- 1 root root 2458 Jun 1 15:58 trust.p12
Copy of truststore and keystore also located in profile_home/etc
directory:
test317:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/etc # ls -al total 56 drwxr-xr-x 3 root root 4096 Jun 1 16:07 . drwxr-xr-x 20 root root 4096 Jul 6 13:40 .. -rwxr-xr-x 1 root root 2334 Jul 11 2012 DummyClientKeyFile.jks -rwxr-xr-x 1 root root 7117 May 19 10:35 DummyClientTrustFile.jks -rwxr-xr-x 1 root root 2337 Jul 11 2012 DummyServerKeyFile.jks -rwxr-xr-x 1 root root 6062 Jul 11 2012 DummyServerTrustFile.jks -rw-r--r-- 1 root root 238 Aug 10 15:29 IBMLSDActiveServerList.asl -rwxr-xr-x 1 root root 727 Jul 11 2012 clientCert.arm -rwxr-xr-x 1 root root 3690 May 19 10:35 key.p12 -rwxr-xr-x 1 root root 727 Jul 11 2012 serverCert.arm -rwxr-xr-x 1 root root 2458 Jun 1 15:55 trust.p12 drwxr-xr-x 3 root root 4096 Sep 19 2012 ws-security
The default password is WebAS
for all default keystores generated by WebSphere Application Server. Change the
default password after the initial configuration for a more secure environment.
Default chained certificate
The default chained certificate of the server along with a root self-signed certificate used to sign the default chained certificate are created during profile creation.
You can recreate the certificates with different information simply by deleting the *.p12
files in
/config
and /etc
. Change the eight properties below to the values you want the certificates
to contain, then restart the processes. This causes the server certificate in /config
and the client
certificate in /etc
to differ.
The certificate properties in the code example exist in the ssl.client.props
file, but do not exist
in the server configuration. You can use these certificate properties in the server configuration if you add
them as custom security properties using the administrative console.
test317:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties # ls -l ssl.client.props -rwxr-xr-x 1 root root 5050 May 19 10:35 ssl.client.props
test317:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties # cat ssl.client.props #------------------------------------------------------------------------- # Global SSL Properties (applies to entire process) #------------------------------------------------------------------------- com.ibm.ssl.defaultAlias=DefaultSSLSettings com.ibm.ssl.performURLHostNameVerification=false com.ibm.ssl.validationEnabled=false com.ibm.security.useFIPS=false user.root=/opt/IBM/WebSphere/AppServer/profiles/AppSrv01 #------------------------------------------------------------------------- # Default Self-Signed Certificate Properties # These properties are used to create a keystore when it does not exist with # a self-signed certificate. The properties com.ibm.ssl.keyStoreFileBased=true # and com.ibm.ssl.trustStoreFileBased=true must be set to indicate a file-based # keystore and truststore before they are created. #------------------------------------------------------------------------- com.ibm.ssl.defaultCertReqAlias=default com.ibm.ssl.defaultCertReqSubjectDN=cn=${hostname},o=IBM,c=US com.ibm.ssl.defaultCertReqDays=365 com.ibm.ssl.defaultCertReqKeySize=2048 ... ...
com.ibm.ssl.rootCertSubjectDN=cn=${hostname},ou=Root Certificate, ou=myhostNode01,ou=myhostNode01Cell,o=IBM,c=US com.ibm.ssl.rootCertValidDays=7300 com.ibm.ssl.rootCertAlias=root com.ibm.ssl.rootCertKeySize=1024
Click Security > Global security > Custom properties
Change some properties mentioned above:
After changing the properties, complete the following actions:
Delete the default key.p12
keystore and trust.p12
truststore files for the deployment
manager, which contain the default chained certificate. If the keystore and truststore file do not exist,
WebSphere Application Server automatically generates them and creates new default certificates using the
previously listed property values.
Delete the root keystore, which is the root-key.p12
file, to regenerate the root certificate
with the previously listed properties.
Restart the deployment manager, its node, and all of the servers.
Sign each node using the root certificate.
If the nodes are not federated, federate each node into the deployment manager using the
addNode.sh
command. The default certificate for the node is regenerated using
the root certificate for the cell.
If the nodes are federated, renew the certificate for each node using the root certificate
for the cell. You can renew the certificate using the administrative console or using the
renewCertificate
command.
If a default
alias value already exists, the runtime appends _#
, where the number sign (#) is
a number that increments until it is unique in the keystore. ${hostname}
is a variable that is resolved
to the host name where it was originally created. The default expiration date of chained certificates is one
year from their creation date.
The runtime monitors the expiration dates of chained certificates using the certificate expiration monitor. These chained certificates are automatically replaced along with the signer certificates when they are within the expiration threshold, which is typically 30 days before expiration. You can increase the default key size beyond 1024 bits only when the Java Runtime Environment policy files are unrestricted, that is, not exported.
Default keystore and truststore configurations for new Application Server processes
The following sample code shows the default SSL configuration for a application server node.
test317:/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/test317Cell01 # less security.xml <repertoire xmi:id="SSLConfig_1370116587513" alias="NodeDefaultSSLSettings" managementScope="ManagementScope_1370116587513"> <setting xmi:id="SecureSocketLayer_1370116587513" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" keyStore="KeyStore_1370116587513" trustStore="KeyStore_2" trustManager="TrustManager_1370116587513" keyManager="KeyManager_1370116587513"/> </repertoire>
Default keystore
In the following sample code, the keystore object that represents the default keystore is similar to the XML object.
<keyStores xmi:id="KeyStore_1370116587513" name="NodeDefaultKeyStore" password="{xor}CDo9Hgw=" provider="IBMJCE" location="${CONFIG_ROOT}/cells/test317Cell01/nodes/exampleNode01/key.p12" type="PKCS12" fileBased="true" hostList="" description="Default key store for exampleNode01" usage="SSLKeys" managementScope="ManagementScope_1370116587513"/>
The NodeDefaultKeyStore
keystore contains the personal certificate that represents
the identity of the secure endpoint. Any keystore reference can use the
${USER_INSTALL_ROOT}
variable, which is expanded by the runtime. The
PKCS12
default keystore type is in the most interoperable format, which
means that it can be imported into most browsers. The keystore's
password (WebAS
) is encoded.
The management scope determines which server runtime loads the keystore configuration into memory, as shown in the following code sample:
<managementScopes xmi:id="ManagementScope_1370116587513" scopeName="(cell):test317Cell01:(node):exampleNode01" scopeType="node"/>
Any configuration objects that are stored in the security.xml
file whose management scopes
are outside the current process scope are not loaded in the current process. Instead, the management
scope is loaded by servers that are contained within the exampleNode01
node. Any
application server that is on the specific node can view the keystore configuration.
When you list the contents of the key.p12
file to show the chained certificate, note
that the common name (CN) of the distinguished name (DN) is the host name of the resident machine.
This listing enables you to verify the host name by its URL connections. Additionally, you can verify
the host name from a custom trust manager.
Contents of default keystore
The following sample code shows the contents of the default key.p12
file in a
keytool
list:
test317 ~# /opt/IBM/WebSphere/AppServer/java/bin/keytool -list -keystore /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/test317Cell01/nodes/exampleNode01/key.p12 -storepass WebAS -storetype PKCS12 -v
Keystore type: PKCS12 Keystore provider: IBMJCE Your keystore contains 1 entry Alias name: default Creation date: Jun 1, 2013 Entry type: keyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=example.com, OU=exampleNode01Cell, OU=exampleNode01, O=IBM, C=US Issuer: CN=test317.java.boot.by, OU=Root Certificate, OU=test317Cell01, OU=test317CellManager01, O=IBM, C=US Serial number: 9b91c13263c3 Valid from: 5/31/13 3:56 PM until: 5/31/14 3:56 PM Certificate fingerprints: MD5: E6:AB:A6:4D:7B:4D:29:56:C7:24:88:9A:42:59:0B:E2 SHA1: 5E:D2:AB:F5:08:0B:17:24:18:49:22:9B:49:B8:5B:5C:E0:BD:DA:11 Certificate[2]: Owner: CN=test317.java.boot.by, OU=Root Certificate, OU=test317Cell01, OU=test317CellManager01, O=IBM, C=US Issuer: CN=test317.java.boot.by, OU=Root Certificate, OU=test317Cell01, OU=test317CellManager01, O=IBM, C=US Serial number: 119236c7cb5cb Valid from: 5/20/13 8:44 AM until: 5/16/28 8:44 AM Certificate fingerprints: MD5: BE:24:51:A4:4C:7B:6C:2A:E5:B4:DF:11:0D:AF:60:42 SHA1: D4:44:9B:CC:34:A0:94:49:90:B6:D4:E8:C8:B1:D5:42:85:C2:A7:05 ******************************************* *******************************************
The default
alias name and the keyEntry
entry type indicate that the private
key is stored with the public key, which represents a complete personal certificate. The certificate
is owned by CN=example.com, OU=exampleNode01Cell, OU=exampleNode01, O=IBM, C=US
and it is
issued by CN=test317.java.boot.by, OU=Root Certificate,
OU=test317Cell01, OU=test317CellManager01, O=IBM, C=US
WAS Root Certificate. By default,
the certificate is valid for one year from the date of creation.
Additionally, in some signer-exchange situations, the certificate fingerprint ensures that the sent certificate has not been modified. The fingerprint, which is a hash algorithm output for the certificate, is displayed by the WebSphere Application Server runtime during an automated signer exchange on the client side. The client fingerprint must match the fingerprint that is displayed on the server. The runtime typically uses the SHA1 hash algorithm to generate certificate fingerprints.
Default truststore
In the following sample code, the keystore object represents the default trust.p12
truststore.
The truststore contains signer certificates that are necessary for making trust decisions:
<keyStores xmi:id="KeyStore_1370116587514" name="NodeDefaultTrustStore" password="{xor}CDo9Hgw=" provider="IBMJCE" location="${CONFIG_ROOT}/cells/test317Cell01/nodes/exampleNode01/trust.p12" type="PKCS12" fileBased="true" hostList="" description="Default trust store for exampleNode01" usage="SSLKeys" managementScope="ManagementScope_1370116587513"/>
Contents of default truststore
The following sample code shows the contents of the default trust.p12
truststore in a
keytool
listing. By default, for the sample chained certificate, the root certificate signer
is included in the trust store. The root
signer alias name and the trustedCertEntry
entry type indicate that the certificate is the public key. The private key is not stored in this truststore.
test317: ~# /opt/IBM/WebSphere/AppServer/java/bin/keytool -list -keystore /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/test317Cell01/nodes/exampleNode01/trust.p12 -storepass WebAS -storetype PKCS12 -v
Keystore type: PKCS12 Keystore provider: IBMJCE Your keystore contains 2 entries Alias name: root Creation date: Dec 31, 1969 Entry type: trustedCertEntry Owner: CN=example.com, OU=Root Certificate, OU=exampleNode01Cell, OU=exampleNode01, O=IBM, C=US Issuer: CN=example.com, OU=Root Certificate, OU=exampleNode01Cell, OU=exampleNode01, O=IBM, C=US Serial number: 8202aa20d7bd Valid from: 5/18/13 10:35 AM until: 5/14/28 10:35 AM Certificate fingerprints: MD5: 42:F6:2D:89:36:4C:11:ED:98:0F:EB:B1:7D:0A:90:D0 SHA1: 00:6E:72:3B:6D:52:DF:12:65:83:E3:6A:8A:7F:73:87:74:B8:F4:14 ******************************************* ******************************************* Alias name: default Creation date: Dec 31, 1969 Entry type: trustedCertEntry Owner: CN=test317.java.boot.by, OU=Root Certificate, OU=test317Cell01, OU=test317CellManager01, O=IBM, C=US Issuer: CN=test317.java.boot.by, OU=Root Certificate, OU=test317Cell01, OU=test317CellManager01, O=IBM, C=US Serial number: 119236c7cb5cb Valid from: 5/20/13 8:44 AM until: 5/16/28 8:44 AM Certificate fingerprints: MD5: BE:24:51:A4:4C:7B:6C:2A:E5:B4:DF:11:0D:AF:60:42 SHA1: D4:44:9B:CC:34:A0:94:49:90:B6:D4:E8:C8:B1:D5:42:85:C2:A7:05 ******************************************* *******************************************
![]() ![]() ![]() |