We have an app ^H^H^H tool for that.
Here's my journey: -
Start WSAdmin
/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
Convert Certificates to SHA256withRSA
AdminTask.convertCertForSecurityStandard('[-fipsLevel SP800-131 -signatureAlgorithm SHA256withRSA -keySize 2048 ]')
Save and Sync
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
Quit
quit
PS Next time one starts WSAdmin, updated certificates are retrieved back to "local" trust store
/opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd
…
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/etc/trust.p12.
Here is the signer information (verify the digest value matches what is displayed at the server):
Subject DN: CN=bpm857.uk.ibm.com, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 23501208165426
Expires: Thu Apr 20 05:51:34 BST 2017
SHA-1 Digest: AA:C8:35:CC:B3:46:2E:CE:E5:05:01:A7:5B:55:3A:DF:3C:06:44:A0
MD5 Digest: 76:CA:9D:33:0B:41:EA:03:F9:7E:A6:C6:02:65:D7:4D
Subject DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 23500614165097
Expires: Thu Apr 17 05:51:33 BST 2031
SHA-1 Digest: AA:C8:35:CC:B3:46:2E:CE:E5:05:01:A7:5B:55:3A:DF:3C:06:44:A0
MD5 Digest: 76:CA:9D:33:0B:41:EA:03:F9:7E:A6:C6:02:65:D7:4D
Add signer to the trust store now? (y/n) y
…
Validate DM Profile Personal Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12:
default
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/key.p12 -pw WebAS -label default
...
Label: default
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Validate DM Profile Root Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12:
root
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCDmgr01/config/cells/PCCell1/trust.p12 -pw WebAS -label root
...
Label: root
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Manually synchronise Node - this may be optional but felt "belt n' braces"
/opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/bin/syncNode.sh `hostname` 10003
...
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/etc/trust.p12.
Here is the signer information (verify the digest value matches what is displayed at the server):
Subject DN: CN=bpm857.uk.ibm.com, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 35849612167890
Expires: Sat Apr 22 07:14:50 BST 2017
SHA-1 Digest: 94:26:35:50:26:01:43:84:9B:68:63:C8:48:1B:E6:CF:87:E6:85:18
MD5 Digest: 7A:E0:99:2B:CB:65:E7:09:63:00:E9:63:00:9B:84:E8
Subject DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Issuer DN: CN=bpm857.uk.ibm.com, OU=Root Certificate, OU=PCCell1, OU=Dmgr, O=IBM, C=US
Serial number: 35848947653836
Expires: Sat Apr 19 07:14:49 BST 2031
SHA-1 Digest: 94:26:35:50:26:01:43:84:9B:68:63:C8:48:1B:E6:CF:87:E6:85:18
MD5 Digest: 7A:E0:99:2B:CB:65:E7:09:63:00:E9:63:00:9B:84:E8
Add signer to the trust store now? (y/n) y
...
Validate Node Profile Personal Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12:
default
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/key.p12 -pw WebAS -label default
...
Label: default
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Validate Node Profile Root Certificate
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12 -pw WebAS
Certificates in database /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12:
root
/opt/IBM/WebSphere/AppServer/java/jre/bin/ikeycmd -cert -details -db /opt/IBM/WebSphere/AppServer/profiles/PCAppSrv01/config/cells/PCCell1/trust.p12 -pw WebAS -label root
...
Label: root
Key Size: 2048
...
Signature Algorithm: SHA256withRSA (1.2.840.113549.1.1.11)
...
Additional Validation using OpenSSL
echo "" | openssl s_client -connect bpm857.uk.ibm.com:10001 -prexit 2>/dev/null | openssl x509 -noout -text | grep Signature
...
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
...
So that's all good then.
in the post how did you find the password as WebAs to the .p12
ReplyDeleteHey Sriram
ReplyDeleteAh, that's magic ....
Seriously, it's in the IBM documentation e.g.
PK47182: The default key store password in the "Key store settings" topic within the Version 6.1 Information Center is incorrect