Monday 16 April 2012

IBM WebSphere Application Server - Plugin Personal Certificate will expire on April 26, 2012

Does this affect you ?

Abstract

The personal certificate called "WebSphere Plugin Key" within the plugin-key.kdb that is shipped with the WebSphere Plugin install will expire on April 26, 2012.

Content

When the plugin is first installed, it places a copy of the plugin-key.kdb file within the [Plugin_Home]/etc directory. When the plugin is configured to an installed web server, it will pull a copy of this file from the [Plugin_Home]/etc location and place it within the [Plugin_Home]/config/{webservername} directory.

This key file contains a personal certificate that is set to expire by April 26, 2012. Action may be required to maintain encryption between the plugin and application server(s). Please read this documentation carefully to determine if you are affected and what steps may be needed to correct this situation.

I'd strongly recommend that you check this Technote, if you use IBM WebSphere Application Server and the WebSphere Plugin.

In our environment, I used the GSK command, as the IKeyMan GUI was not available to me on my headless Linux boxes: -

$ /opt/IBM/HTTPServer/bin/gsk7cmd -cert -list -db /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin\-key.kdb -pw WebAS

This gave me my cell-level certificate e.g. CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US  which I then checked for expiration as follows: -

Label: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Key Size: 1024 
Version: X509 V3 
Serial Number: 11 FA EF 15 F5 2F E1 18 
Issued by: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Subject: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Valid: From: Thursday, 20 January 2011 12:05:44 o'clock GMT To: Friday, 16 January 2026 12:05:44 o'clock GMT 
Fingerprint: AE:2A:DC:10:6C:4A:18:A3:A0:46:A3:FD:EB:6E:2E:D0:8A:D2:CE:66 
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5) 
Trust Status: enabled 

Just because my environment is OK does NOT mean that yours is …. go check, go check NOW

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...