To add a certificate to the webseal server is clearly defined in the webseal administration guide. What I faced a big challenge was to add a chain certificate. I had no clue what is the process or how should I go about doing it.
To start with , chain certificates are no different than regular certificates, just they are more in number and follow a particular pattern. There is a root certificate, and a signer one. There can also be an intermediate signer, or more levels as the security would demand.
The root certificate goes in first , then intermediate signer and then the signer. Before you start with adding the certificate, make sure you have the following things with you :
1. All root and signer certs
2. Location of keystore and truststore , with the passwords for both
3. Permission to run the commands and add certificates to the server
4. The location of webseal pdsrv file .
Many of the people use iKeyman or gsk7cmd kit , you can use anyone of those. most People like to use export display to add the certificates , but my system was responding too slow for display that i used command line interface ( my first choice of use as well) .
Adding chain certificates to webseal server::
Exact commands as run on the server.
--------------------
[root@servername /]# export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java/jre/
[root@ servername/]# export PATH=$JAVA_HOME/bin:$PATH
[root@ servername/]# gsk7cmd -cert -list -db /var/pdweb/www-default/certs/pdsrv.kdb -pw
Certificates in database /var/pdweb/www-default/certs/pdsrv.kdb:
WebSEAL-Test-Only
RSA Secure Server Certification Authority
Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Verisign Class 1 Public Primary Certification Authority
[root@ servername/]# gsk7cmd -cert -add -db /var/pdweb/www-default/certs/pdsrv.kdb -pw -file /tmp/RootCertificate.cer -label WEbsealRootCertificate
[root@ servername/]# gsk7cmd -cert -add -db /var/pdweb/www-default/certs/pdsrv.kdb -pw -file /tmp/Root/CertificateFile.cer -label websealChaincertificate
--------
One of the very critical commands here is listing the already existing certificates. This step would enable you to determine whether you are hitting the right keystore, have correct creds and possibly the correct permission to go for the operation.
This is specific to webseal , but can be repeated over all of Tivoli identity manager , websphere application server or any server.
To start with , chain certificates are no different than regular certificates, just they are more in number and follow a particular pattern. There is a root certificate, and a signer one. There can also be an intermediate signer, or more levels as the security would demand.
The root certificate goes in first , then intermediate signer and then the signer. Before you start with adding the certificate, make sure you have the following things with you :
1. All root and signer certs
2. Location of keystore and truststore , with the passwords for both
3. Permission to run the commands and add certificates to the server
4. The location of webseal pdsrv file .
Many of the people use iKeyman or gsk7cmd kit , you can use anyone of those. most People like to use export display to add the certificates , but my system was responding too slow for display that i used command line interface ( my first choice of use as well) .
Adding chain certificates to webseal server::
Exact commands as run on the server.
--------------------
[root@servername
[root@
WebSEAL-Test-Only
RSA Secure Server Certification Authority
Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Verisign Class 1 Public Primary Certification Authority
[root@
No comments:
Post a Comment