Change the default SSL keystore and truststore files

To protect the integrity of the messages being sent across the Internet, it is recommended that you change the default SSL keystore and truststore files that are packaged with WebSphere Application Server. We provide a single location where you can specify SSL configurations that can be used among the various WebSphere Application Server features that use SSL including the LDAP user registry, Web Container, and the Authentication Protocol (CSIv2 and SAS). For an example of creating a new keystore file, see Use Java keystore files. You can create different KeyStore and TrustStore files for different uses or you can create one file that applies to all cases in which the server uses SSL. After you create the new KeyStore and TrustStore files, specify them in the SSL configuration repertoire. To work with the SSL configuration repertoire, expand Security and click SSL in the administrative console topology tree. You can edit DefaultSSLConfig or create a new SSL configuration with a new alias.

If you create a new alias for your new keystore and truststore files, change all of the locations that refer to the SSL configuration alias DefaultSSLConfig. In the administraive console, make the change in each of these locations:

• Security --> User Registries --> LDAP
• Security --> Authentication Protocol --> CSIv2 Inbound Transport
• Security --> Authentication Protocol --> CSIv2 Outbound Transport
• Security --> Authentication Protocol --> SAS Inbound Transport
• Security --> Authentication Protocol --> SAS Outbound Transport
• Servers --> Application Servers --> app_server --> Web Container --> HTTP transports --> host
• Servers --> Application Servers --> app_server --> Server Level Security --> CSIv2 Inbound Transport
• Servers --> Application Servers --> app_server --> Server Security --> CSIv2 OutboundTransport
• Servers --> Application Servers --> app_server --> Server Security --> SAS Inbound Transport
• Servers --> Application Servers --> app_server --> Server Security --> SAS Outbound Transport

In this list, app_server is the name of your application server and host is the value of the Host property for an HTTP transport.

Update the sas.client.props and soap.client.props files

The sas.client.props file is used by secure enterprise bean clients. For more information about configuring sas.client.props for secure enterprise bean clients see Configure SSL for Java client authentication. Both the sas.client.props and the soap.client.props files are used to support secure RMI and SOAP connections for administrative tools. See Security settings for wsadmin in the Administration topic for more information about configuring secure RMI and SOAP connections for administrative tools.

Edit the sas.client.props and soap.client.props files to set the following properties for your new client keystore and truststore files:

• com.ibm.ssl.keyStore
• com.ibm.ssl.keyStorePassword
• com.ibm.ssl.trustStore
• com.ibm.ssl.trustStorePassword

Note: To encode passwords in your sas.client.props and soap.client.props files see Manually encoding passwords in properties files.

Update the SSL configuration for the WebSphere Web server plug-in

For more information about updating the SSL configuration for the plug-in, see Configure SSL for WebSphere plug-ins.

Note: SSL is enabled for the Web server plugin in the default configuration.

Change the default secure sockets layer repertoire key files (Network Deployment only)

The default Secure Sockets Layer (SSL) repertoire is used to securely communicate between internal Java processes when you enable global security. If you change the keyfiles used by the deployment manager default SSL repertoire, change the default SSL keyfiles of the federated nodes to the same key files used by the deployment manager default SSL repertoire.

After you change the default SSL keyfiles that are used by the deployment manager, but before you federate a new node that has global security enabled, change the default SSL keyfiles of the unfederated node to match the keyfiles that are used by the deployment manager. Without this change, the deployment manager fails to connect to the unfederated node when the deployment manager attempts to federate it.

Perform the following steps in the WebSphere administrative console to configure the deployment manager and the nodes to use the new keyfile:

1. In the navigation menu, click Security --> SSL

2. Click the alias of your SSL configuration repertoire.

3. Modify the value of the Key File Name field to the name of the new key file.

4. In the Key File Password field, enter the password to access the new key file.

5. Select the format from the Key File Format options that matches the format that is used by the new key file.

6. Modify the value of the Trust File Name field to the name of the new trust file.

7. In the Trust File Password field, enter the password to access the new trust file.

8. Select the format from the Trust File Format options that matches the format that is used by the new trust file.

9. Click Apply to apply the changes.

10. Save the configuration.

11. Repeat the steps on each federated node. If a federated node is on a separate machine, copy the key and trust files onto that machine. After repeating the steps for each federated node, restart the deployment manager and all of the federated nodes.

    Note: Do not restart the deployment manager before you complete the steps for the default SSL repertoire settings on the federated nodes. If you restart the deployment manager before you change the default SSL key files for the federated nodes, the deployment manager cannot communicate with the federated nodes with global security enabled. To fix this, revert the deployment manager default SSL key files back to the original key and trust files and restart the deployment manager.