Add the correct SSL Signer certificates to the plug-in keystore

Personal certificates contain a private key and a public key. We can extract the public key, called the signer certificate, to a file, then import the certificate into another keystore. During a Security Socket Layer (SSL) connection, the server sends it's personal certificate to the client. The client must have the correct signer certificate to match it.

The keystore containing a personal certificate must exist.

Complete this procedure for each WAS node. If multiple WAS nodes use the same exact personal certificate, then add only the corresponding signer certificate once to the plug-in keystore.

Tasks

1. Click...
   Security | SSL certificate and key management | Manage endpoint security configurations | NodeDefaultSSLSettings | Keystores and certificates | NodeDefaultKeyStore | Personal certificates

2. You see a chained certificate.

   The personal certificate is the first one in the chain. The signer certificate is the second one in the chain. Look at the CN in the signer certificate. Also, look at the serial number of the signer certificate.

   This certificate is the exact signer certificate that we must use.

3. Click to return to the Keystores and certificates page.

4. Click...
   NodeDefaultTrustStore | Signer certificates

5. Find the signed certificate with the match CN and serial number from step 6 and check the box next to it. Click Extract.

6. Enter a temporary path and file name, such as...
   tmp/nodeRootSigner.arm

   Click OK.

7. Click to return to the Manage endpoint security configurations page.

8. Find the node containing the web server definition.

   We must look inside the node and look inside the servers folder to find the web server. Click the web server name.

9. Click Keystores and certificates.

10. Click CMSKeyStore.

    CMSKeyStore Is a link to the plugin-key.kdb file.

11. Click Signer certificates and then click Add.

12. Enter an Alias and the path and file name from step 11.

    Click OK.

13. Click Save to save the changes.

14. Repeat steps 8-13 for each WAS node.

    If multiple WAS nodes that use the same personal certificate, then we must add only the corresponding signer certificate once to the plug-in keystore.

15. Click...
    Servers | Server Types | Web servers | web server | Plug-in properties | Copy to Web server key store directory

16. Stop and restart the webserver to test and ensure that the connection is able to connect successfully.

The signer portion of the personal certificate is stored in the file provided.

What to do next

The signer can now be imported into other keystores.

Subtopics

• Extract certificate
  
• Extract signer certificate
  
• Retrieve signers using the retrieveSigners utility at the client
  
• Change the signer auto-exchange prompt at the client
  
• Import a signer certificate from a truststore to a z/OS keyring
  
• Export a signer certificate from WAS for z/OS to a truststore
  

Related:

SSL configurations

Dynamic outbound selection of Secure Sockets Layer configurations

Keystore configurations for SSL

PersonalCertificateCommands