Thursday, 15 August 2013

SSL and WebSphere Application Server

The first of, almost certainly, a whole slew of posts as I dig into SSL in WAS 7.

I'm really trying to establish why my newly minted WAS profiles turn up with the cell-level and node-level root Signer certificate issuer set to: -

CN=localhost, OU=Root Certificate, OU=localhostNode01Cell, OU=rhel6Node01, O=IBM, C=US  

even though my fully-qualified hostname is: -

as confirmed by Java: -


public class getHost {

  public static void main(String[] args) {

    try {
      InetAddress address = InetAddress.getLocalHost();
      System.out.println("My name is " + address.getHostName());
    } catch (UnknownHostException e) {
      System.out.println("I'm sorry. I don't know my own name.");



which returns: -

My name is

and Snoop: -

Of course, these are self-signed certificates, and WAS is the signer / root Certificate Authority (CA).

But why does the Common Name (CN) come out as localhost rather than, say ??

This is what I have in my node-level trust store: -


For the record, this particular profile is a pure application server ( AppSrv01 ) with no managed cell.

I did find this command: -

$ /opt/IBM/WebSphere/AppServer/bin/ -listRemoteKeyStoreNames

Realm/Cell Name: <default>
Username: wasadmin
 CWPKI0306I: The following remote keystores exist on the specified server:
           NodeDefaultRootStore, NodeDefaultKeyStore, NodeRSATokenRootStore,
           NodeRSATokenTrustStore, NodeDefaultSignersStore,
           NodeDefaultDeletedStore, NodeDefaultTrustStore,
           NodeRSATokenKeyStore, NodeLTPAKeys

which is useful, but doesn't solve the problem :-)

Anyhow, this is how I created the profile: -

 -applyPerfTuningSetting standard
 -adminUserName wasadmin
 -adminPassword ****************
 -enableAdminSecurity true
 -cellName localhostNode01Cell
 -nodeName rhel6Node01
 -portsFile /opt/IBM/WebSphere/AppServer/logs/manageprofiles/1376559474506_portdef.props
 -personalCertDN cn=localhost, ou=localhostNode01Cell, ou=rhel6Node01, o=IBM, c=US
 -profilePath /opt/IBM/WebSphere/AppServer/profiles/AppSrv01
 -serverName server1
 -signingCertDN, cn=localhost, ou=Root Certificate, ou=localhostNode01Cell, ou=rhel6Node01, o=IBM, c=US
 -profileName AppSrv01
 -personalCertValidityPeriod 15
 -signingCertValidityPeriod 15
 -keyStorePassword ****************
 -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/default

NOTE I used Profile Management Tool (PMT) to do this, and that automatically populated the personalCertDN and signingCertDN values with localhost.

I can, and will, override these next time around, but I'm wondering where PMT gets localhost from.

No comments: