Renewing SSL Certificates for IBM WebSphere and Apache Tomcat

Renewing a certificate for IBM WebSphere or Apache Tomcat is a relatively straightforward process.  There are, however, some subtle differences between renewing and installing a fresh certificate that I would like to document here primarily so I make it easier on myself the next time I need to simply renew a certificate.  If you are looking for more advanced information please consider these articles on configuring IBM WebSphere for SSL and installing or importing certificates into a WebSphere Trust Store.

If an IBM WebSphere or Apache Tomcat application server is nearing the validation end of their SSL certificates you can follow these steps to ensure that your servers remain secure and your user’s experiences are not interrupted.

IBM WebSphere

Step 1: Backup the existing certificate in case you need to revert.

  • Connect to the server where IBM WebSphere HTTP Server is installed. Navigate to the folder [IBM_HTTPServer_Home]\.
  • Backup or move the existing SSL certificate to an expired_certs folder Ex: C:\IBM\HTTPServer

renewing_ssl_certificate_websphere_apache_tomcat_ibm_maximo_update_ugrade_support_blog_help_tip_troubleshoot

Step 2: Copy the new certificate to IBM WebSphere HTTP Server home folder.

  • Copy the new Maximo SSL certificate to the [IBM_HTTPServer_Home]\ folder. If you need help requesting a new certificate, please refer to our article configuring IBM WebSphere for SSL.

Step 3: Launch IBM Key Management application to import new certificate

  • Launch the IBM Key Management application.
  • Click Export/Import button from the right-side button menu.
  • Select the Import Key radio button.
  • Change the Key file type to PKCS S12 using the drop-down menu.
  • Browser to the file name of the certificate that was copied in Step 3

ibm_maximo_blog_updating_ssl_certificate_websphere_server_security_renew_maximosecrets

  • Click the OK button. Supply the password associated with this certificate.

ibm_maximo_blog_renew_ssl_certificate_security_update_credentials_managed_service_self_help_how to

  • Click the OK button.
  • Select the label under Select a label to change. In the Enter a new label textbox provide a new label for this certificate.

  • Click the OK button.
  • Double-click the certificate that was just added with the new label.

ibm_maximo_blog_supprt_troubleshoot_fix_security_renew_ssl_certificate_update_websphere_apache_tomcat

  • Click the Set the certificate as the default checkbox at the bottom left.

ibm_maximo_blog_validation_of_ssl_certificate_update_websphere_apache_tomcat_troubleshoot_security

  • Click the OK button.
  • The certificate that was just added with the new label should now have an * next to its name.

ibm_maximo_websphere_update_apache_tomcat_renew_ssl_certificate_blog_troubleshoot_support

  • Click the OK button.
  • The certificate that was just added with the new label should now have an * next to its name.

 

Apache Tomcat

Step 1: Backup the existing certificate in case you need to revert.

  • Connect to the server where Apache Tomcat server is installed. Navigate to the folder [Apache_Tomcat_Home]\conf. Ex: C:\Apache\Tomcat\conf
  • Backup or move the existing SSL certificate to a certs folder.
  • Open the server xml file using a text editor.

ibm_maximo_suppprt_renew_new_ssl_cerificate_server_security_validation_websphere_apache_tomcat_blog

 

Step 2: Edit the server.xml file.

  • Locate the section <Connector port=”443” scheme=”https” . Change the name of the certificate if necessary.  Update the keystorePass value to the new password for the certificate.
  • NOTE: This is an XML document. Consequently, any ampersand or quote characters will need to be replaced.  For example, if your password is 1234”& then the value for keystorePass would be keystorePass=”1234&quot;&amp;”

How_to_renew_ssl_certificate_websphere_apache_tomcat_ibm_maximo

  • Save the server xml document and restart the Apache Tomcat service.

Import SSL Certificates into WebSphere Trust Store

Ever tried to connect your Maximo system with an external secured URL? By default, WebSphere is designed not to trust secured external URLs. It will only allow the connection if an administrator specifically instructs WebSphere to do so by importing the certificate into its Trust Store.

Here are some examples of where this may be useful:

  • Connection to a GIS REST service for integrating GIS data with Maximo
  • Connection to a secured Office 365 Email server
  • Connection to a financial system, such as SAP, that uses secured APIs to communicate
  • Connection to an SMS service for texting users when certain system events occur

… and there are many more.

Here is the message you may encounter:


BMXAA1477E - The connection failed to the HTTP handler for the endpoint. Review the error and server log files for information to indicate the cause of the issue, for example, incorrect properties in the DefaultHTTPExit.java handler class. 
com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
java.security.cert.CertPathValidatorException: The certificate issued by CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2 is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining

Look familiar? Let’s fix it.

  1. Log into WebSphere as an administrative user.
  2. Click on the Security > SSL Certificate and Key Management link in the left navigation pane.
  3. Click on the Related Items > Key stores and certificates link on the right side of the main pane.
  4. Click on the CellDefaultTrustStore item in the table.
  5. Click on the Additional Properties > Signer certificates link on the right side.
  6. Click on the Retrieve from Port button.
  7. Fill out the Host, Port and Alias fields. For example:
    1. Host: www.google.com
    2. Port: 443
    3. Alias: www.google.com

  8. Press the Retrieve signer information button. Ensure that the values seem reasonably correct (i.e. you don’t get an error back.)
  9. Press the OK button.
  10. Click the Save to Master Configuration link.
  11. Press the OK button after the changes have been synchronized with all of the nodes.

At this point you’ll need to restart Maximo, your node agents, and your deployment manager for the changes to take effect. From here forward, Maximo will now trust that URL and allow the connection.