www.bonsaiframework.com
Page tree

Versions Compared

Old Version 24

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 25

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Made consistent use of iKeyMan. Added Import Signed Certificate Steps and reference.

...

Once installed, IHS includes a tool for working with SSL Certificates called IBM's Key Management Utility which IBM also refers to as GSKIT and generally referred to as iKeyMan. We will use iKeyman consistently in this documentation.

Table of Contents

Warning

Something that I have not tried yet but should work in theory. To make things easier, use the open ssl command line tools to generate the CSR. When the CA gives back the signed request, generate a P12. Make sure to also include the private key somehow. Then you should be able to import into IHS and delete the old certificate.

...

Most current installs should be fine. However, you should still ensure that the iKeyman iKeyMan packaged with IHS can start and is the minimal version for 2048 certificates. 2048 is now becoming the minimal standard for Web certificates.

...

IBM uses the concept of a Key Database File to protect the certificate private key. The first step is to create an empty key database file using the Key Management Utility also known as iKeymaniKeyMan.

  1. Key Database File
  2. New
  3. Key database type = CMS (can explain more about the format... later but CMS if standard)
  4. File Name = krypton.kdb
  5. Browser... = C:\opt\IBMIHS\keys\

...

The Certificate Authority will provide a signed certificate file, root certificate and possibly supporting chain certificates which will be imported into your kdb file.

Backup Your Files (Again!)

The Key Management Utility iKeyMan saves to the Key Database File arbitrary depending on your action and saves things across multiple files. Backup your files before proceeding.

...

In addition to the signed certificate, the CA should include the Root Certificate and any required supporting Chain Certificates. It is important to use a consistent naming convention.

...

The signed certificate will often be in a plain txt file. Rename the file to C:\opt\IBMIHS\keys\www.krypton.com.2012-03-14.signed_certificate.arm

The date included in the file name should reference when the certificates were received.

Import Root Certificate

...

Import Signed Certificate

If necessary, start iKeyMan and open the key database.

  • From the Windows desktop, select Start - Programs - IBM HTTP Server - Start Key Management Utility.
  • Select Key Database File - Open and open the "Httpserverkey.kdb" database in the C:\Program Files\IBM\WebSphere\AppServer\etc directory.

In the "Key database content" drop-down list, select "Personal Certificates."

On the right-hand side of the "Key database content" box, click the "Receive..." button.

In the "Receive Certificate from a file" window, complete the following fields:

  • Data type: Accept the default of "Base64-encoded ASCII data."
  • Certificate file name: Browse to and select the "HTTPServerCert.cer" file (or other server certificate file that you have obtained from the CA).
  • Location: Ensure the location field specifies the directory path to which the "HTTPServerCert.cer" file was saved after you received the file from the CA (for example C:\Program Files\IBM\WebSphere\AppServer\etc).

Click OK.

You should now see the server certificate name displayed in the Personal Certificates list in IKeyMan.

Note

 The server certificate name was selected when creating the CSR.

 

References

Has good steps and pictures - http://www-01.ibm.com/support/docview.wss?uid=swg21006430

Steps to Importing Signed Certificate with iKeyMan - http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.801.doc/EMS/st_adm_ems_ssl_cert_for_http_t.html