Skip to main content

Update the Default SSL Certificate for IBM WAS


How to update/replace the default SSL certificate for WebSphere Application Server.  But before that, if you are not familiar with SSL ( Secure Socket Layer ) protocol, here's a simple one liner on SSL:

Internet security is often a priority for those who carry out online transactions or host a financial/banking website, and so SSL certificates can prove to be an essential investment for many businesses and organization. They work by linking a cryptographic key to details such as a particular domain name, location and business contact details. Once such authentication has been established, the connection between the web server and the internet browser is secure, and not at risk from third party infiltration.

Still not clear, just watch the below video:

We will have a look at topics like: Location of certificate, Certificate keystores, Programmatically import,replace or delete certificate using the WAS Admin commands.



Note: Websphere Application Server certificate (personal certificate) is different for different nodes in a WAS cluster. 

Note: Though the ppt mentions WAS 6.1, it works for WAS 7.x and 8.x too..

Below are some commands used to manage the SSL certificate for WAS programmatically. In the below commands, in order to import/replace a certificate you need to provide a keystore containing the new/updated certificate.


Import Certificate:
AdminTask.importCertificate('[-keyFilePath ' + keyFilePath + ' -keyFilePassword ' + keyFilePassword + ' -keyFileType ' + keyFileType + ' -certificateAliasFromKeyFile \'' + certificateAliasFromKeyFile + '\' -certificateAlias ' + certificateAlias + ' -keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' ]')
AdminConfig.save()

Replace Certificate:
AdminTask.replaceCertificate('[-certificateAlias ' + certificateAlias + ' -replacementCertificateAlias ' + replacementCertificateAlias + ' -deleteOldCert true -deleteOldSigners false -keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' ]')
AdminConfig.save()

Delete Certificate:
AdminTask.deleteCertificate('[-keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' -certificateAlias ' + removeCertAlias + ' ]')
AdminConfig.save()

Get Signer Certificate:
AdminTask.retrieveSignerFromPort('[-keyStoreName ' + keyStoreName + ' -keyStoreScope ' + keyStoreScope + ' -host ' + host + ' -port ' + port + ' -certificateAlias ' + certificateAlias + ' -sslConfigName ' + sslConfigName + ' -sslConfigScopeName ' + sslConfigScopeName + ' ]')
AdminConfig.save()

Sync All Nodes:
AdminNodeManagement.syncActiveNodes()

All above commands can be executed via the WAS scripting command:
wsadmin.sh -lang jython -username admin -password admin -f<filecontaining the above commands>

Link to request a production like SSL certificate for test purpose:
https://trustcenter.websecurity.symantec.com/process/retail/trial_product_selector