Posts Tagged ‘Websphere App Server’

Renew certificate in Websphere keystore while retaining same alias

October 12, 2010 3 comments

Renewing expired SSL certificates in Websphere in some cases is problematic. There are not many functions available for manipulating aliases in keystores using Websphere admin console. And if certificate alias is used throughout your infrastructure mappings – for example in SSL Configurations and web chains fixing the entries with new alias could be cumbersome. Below are few easy steps to renew/replace ssl certificate in keystore while retaining same alias. General idea is to manipulate keystore and truststore using iKeyman utility instead of websphere admin console.

  1. Copy key.p12 and trust.p12 from Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>) to some separate backup directory
  2. Start iKeyman.bat uitlity from \bin directory in Deployment manager profile
  3. Open key.p12 from the backup directory and delete the certificate that you would like to replace in “Personal Certificates”
  4. Now import the new obtained from CA certificate to keystore “Personal Cerificates”
  5. When prompted to change label (it is GUID in case of Microsoft CA issuer), give it the same alias name as it was before. Click “Apply”, and “OK”
  6. You will see the new certificate with proper alias in the list of “Personal Certificates”
  7. Save the key.p12 file changes

Repeat same steps with trust.p12 file, but use .cer file instead of .pfx to import just public certificate part. And use “Signer Certificates”  folder instead of  “Personal Certificates”

Now that you have prepared both key.12 and trust.p12 files :

  1.  Stop Deployment Manager\
  2. Copy new key.p12 and trust.p12 files to Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>)
  3. Start Deployment manager

And if you have option “Synchronize nodes on startup”  you are done and could verify the new certificates in Websphere console. If not just synchronize the nodes and they will get the updated key and trust files.


Websphere Password Decoding

December 16, 2008 Leave a comment

Passwords stored in Websphere Server configuration files actually could be decoded

for the Websphere ESB 6.1 that runs on top of WAS 6.1.17 the actual comand is:
\IBM\WebSphere\ESB\deploytool\itp\plugins\>\IBM\WebSphere\ESB\java\bin\java -cp ws_runtime.jar {xor}booqL2sSOm0=encoded password == “{xor}bWcqL2sSOm0=”, decoded password == “hello”

And a very nice online password decoder

WAS 6.1 setup Windows NT Service

September 10, 2008 1 comment

There is a handy WASService command available in WAS_ROOT\bin allowing Websphere Application Server 6.1 integration with Windows Services.

Samples and documentation on IBM InforCenter – WASService Command

For WAS with security enabled first thing we encountered was a failure to stop WAS service from service console.

   RoleBasedAuth E   SECJ0306E: No received or invocation credential exist on the thread. … The stack trace  is java.lang.Exception: Invocation and received credentials are both null

To mitigate the problem add “stopArgs” parameters specifying username and password. In addition to make storing of passord more secure specify “-encodeParams” and password will be stored in registry in non readable format.

WASService.exe -add “DEV01N01” -serverName server1 -profilePath C:\IBM\pf\ESB\DEV01N01 -stopArgs “-username userA -password passwordXXX” -encodeParams

Checking versions of Websphere FixPacks

June 17, 2008 Leave a comment

Websphere Application Server has a nice utility to check Fixpacks and iFixes installed in the system

  • <WAS_ROOT>/bin/versionInfo.bat  -maintenancePackages

It will print all the version details and information on Fixpacks.

More on versionInfo options: