This post will guide you on how to create and configure custom keystores and truststores instead of using the default keystores and truststores that are created during the profile creation.
Imagine if you have two or more applications running on the same application server profile, Then we can use this feature if any application needs specific certificates. The keystores and truststores can be configured at server/cluster level.
-> Default Keystores and Truststores are created and configured by default at cell level during the profile creation.
-> Custom Keystores and Truststores can be created and configured for at server/application/cluster/node level. This will ensure the keystores are independent of other applications.
Incase of the following error:
Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The following steps can be used to fix this error.
Creation of Keystore and Truststores from console:
Step 1: Navigate to Security >SSL certificate and key management > Manage endpoint security configurations > Inbound > NodeName > ServerName > Key stores and certificates > New
Step 2: Fill the relevant fields.
Name : CustomKeystore
Description : Keystore specific to an application
Management scope: This is grayed out, This shows the scope it is currently in, (Cell)(Node)(Server) -> It belongs to server scope.
Path : The Path Where you want the keystore.p12 to be created.
Password : Defualt will be WebAS
Type : I have choosen p12, You can choose what ever you want to use.
Remotely Managed : In case if the path of the key file is present in a remote server, You have to check this option and provide the alias name of that server which is present in serverindex.xml or else error will be displayed.
Step 3: Once you click on apply, a file with the name that you have given in the path will be created.
Step 4: The same process can be followed to create a trust store.
With the above steps, The keystore and truststores are created.
Now to configure the websphere application server to identify these keystores and truststores and override the default keystore and truststore properties, The following steps are required to be followed.
Step 1: Login to the websphere application server console,
Step 2: Navigate to Servers > Server Types > WebSphere application Servers > Server (Select the server that you want these customized keystores to be used) > Java and Process Management > Process Definition > Java Virtual Machine
Step 3: Add these following properties to the Generic arguments.
-server -Djavax.net.ssl.trustStore=Path to truststore/trust.p12 -Djavax.net.ssl.trustStorePassword=WebAS -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.keyStore=Path to Keystore/key.p12 -Djavax.net.ssl.keyStorePassword=WebAS -Djavax.net.ssl.keyStoreType=PKCS12
Step 4: Apply the settings and restart the JVM and check the process information
ps -eaf | grep java | grep <servername>
This should reflect the parameters added in the Generic arguments.
That’s it. You are now using the customized keystores and certificates.
Recent Comments