Thursday, 15 August 2013

SSL and WebSphere Application Server

The first of, almost certainly, a whole slew of posts as I dig into SSL in WAS 7.

I'm really trying to establish why my newly minted WAS profiles turn up with the cell-level and node-level root Signer certificate issuer set to: -

CN=localhost, OU=Root Certificate, OU=localhostNode01Cell, OU=rhel6Node01, O=IBM, C=US  

even though my fully-qualified hostname is: -

as confirmed by Java: -

import java.net.InetAddress;
import java.net.UnknownHostException;

public class getHost {

  public static void main(String[] args) {

    try {
      InetAddress address = InetAddress.getLocalHost();
      System.out.println("My name is " + address.getHostName());
    } catch (UnknownHostException e) {
      System.out.println("I'm sorry. I don't know my own name.");
    }

  }

}


which returns: -

My name is rhel6.uk.ibm.com

and Snoop: -


Of course, these are self-signed certificates, and WAS is the signer / root Certificate Authority (CA).

But why does the Common Name (CN) come out as localhost rather than, say rhel6.uk.ibm.com ??




This is what I have in my node-level trust store: -

${CONFIG_ROOT}/cells/localhostNode01Cell/nodes/rhel6Node01/trust.p12

For the record, this particular profile is a pure application server ( AppSrv01 ) with no managed cell.

I did find this command: -

$ /opt/IBM/WebSphere/AppServer/bin/retrieveSigners.sh -listRemoteKeyStoreNames

Realm/Cell Name: <default>
Username: wasadmin
Password:         
 CWPKI0306I: The following remote keystores exist on the specified server:
           NodeDefaultRootStore, NodeDefaultKeyStore, NodeRSATokenRootStore,
           NodeRSATokenTrustStore, NodeDefaultSignersStore,
           NodeDefaultDeletedStore, NodeDefaultTrustStore,
           NodeRSATokenKeyStore, NodeLTPAKeys

which is useful, but doesn't solve the problem :-)

Anyhow, this is how I created the profile: -

-create
 -applyPerfTuningSetting standard
 -adminUserName wasadmin
 -adminPassword ****************
 -enableAdminSecurity true
 -cellName localhostNode01Cell
 -nodeName rhel6Node01
 -portsFile /opt/IBM/WebSphere/AppServer/logs/manageprofiles/1376559474506_portdef.props
 -personalCertDN cn=localhost, ou=localhostNode01Cell, ou=rhel6Node01, o=IBM, c=US
 -profilePath /opt/IBM/WebSphere/AppServer/profiles/AppSrv01
 -serverName server1
 -signingCertDN, cn=localhost, ou=Root Certificate, ou=localhostNode01Cell, ou=rhel6Node01, o=IBM, c=US
 -hostName rhel6.uk.ibm.com
 -profileName AppSrv01
 -personalCertValidityPeriod 15
 -signingCertValidityPeriod 15
 -keyStorePassword ****************
 -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/default


NOTE I used Profile Management Tool (PMT) to do this, and that automatically populated the personalCertDN and signingCertDN values with localhost.

I can, and will, override these next time around, but I'm wondering where PMT gets localhost from.



No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...