Web server plug-in default configuration in SSL

Web server plug-in default configuration in SSL

When a web server definition is created in WebSphere Application Server, the web server plug-in is associated with a Certificate Management Services (CMS) keystore containing signers for the current cell. This enables secure communication between the plug-in and and WAS. The keystore is scoped to the web server definition, which makes it visible to this server only. Other processes cannot use this keystore definition. The default password for the keystore is WebAS.
WAS uses the plug-in name to create the self-signed certificate. If a self-signed certificate already exists for the node, the certificate is put into the CMS keystore, and all the signers from the cell are added, by default.
security.xml configuration entries for the web server plug-in...
<keyStores xmi:id="KeyStore_1132357815719" 
           name="CMSKeyStore"  
           password="{xor}HRYNFAtrbxEwOzpvbhw6MzM=" 
           provider="IBMCMSProvider"  
           location="C:\WAS\AppServer\profiles\AppSrv01/config/cells/Cell01/nodes/Node01/servers/webserver1/plugin-key.kdb"  
           type="CMSKS" 
           fileBased="true" 
           createStashFileForCMS="true"  
           managementScope="ManagementScope_1132357815718"/>

<managementScopes xmi:id="ManagementScope_1132357815718" 
                  scopeName="(cell):Cell01:(node):Node01:(server):webserver1" 
                  scopeType="server"/>
(dist)(zos) The following sample code shows how the CMS keystore and stash file are generated in security.xml.
C:\WebSphere\AppServer\profiles\Dmgr01\config\cells\Cell01\nodes\Node01\servers\webserver1\plugin-key.kdb
C:\WebSphere\AppServer\profiles\Dmgr01\config\cells\Cell01\nodes\Node01\servers\webserver1\plugin-key.sth

The default password for the keystore is WebAS. We can change the default keystore password by using either the console or the appropriate AdminTask command. The following sample code shows the AdminTask command that we can use to create this CMS keystore.
$AdminTask createCMSKeyStore /config/cells/Cell01/nodes/Node01 /servers/webserver1/plugin-key.kdb myhost.austin.ibm.com

Note the following characteristics of the previous example:

We can create only one CMSKeyStore entry for each management scope. If a CMS keystore already exists for scope...
(cell):Cell01:(node):Node01:(server):webserver1

...then we cannot create another CMSKeyStore entry .

The Uniform Resource Identifier (URI) for the keystore name is...
/config/cells/Cell01/nodes/Node01/servers/webserver1/plugin-key.kdb

The host name in the plug-in location is...
myhost.austin.ibm.com

WAS uses this name to create a chained certificate, if a chained certificate does not already exist for that particular node. If a chained certificate already exists for the node, then the certificate is put into the CMS keystore and all the signers from the cell are added, by default.

When additional nodes are federated, the signers for these nodes are not automatically added to each web server for the CMS keystore. For the web server plug-in to be able to communicate with a newly federated node, you must manually exchange signers with the CMSKeyStore keystore. Use the console keystore certificate management function to exchange signers.

Related tasks
Configure the web server plug-in for Secure Sockets Layer