Data Loading...

SSL Certificate and Key Management - IBM Flipbook PDF

IBM Software Group ® WebSphere® Support Technical Exchange SSL Certificate and Key Management Brett Ostrander ([email

112 Views
98 Downloads
FLIP PDF 354KB

DOWNLOAD FLIP

REPORT DMCA

®

IBM Software Group

SSL Certificate and Key Management Brett Ostrander ([email protected]) Software Engineer June 12, 2012

WebSphere® Support Technical Exchange

IBM Software Group

Agenda  Chained Certificates  Renewing Certificates  Personal Certificate Requests  KeyStores  Certificate Expiration Monitor

WebSphere® Support Technical Exchange

2

IBM Software Group

Chained Certificates  Default chained certificates are created by root certificates with a long life span of 15 years.  Using a root signer, the servers and client can establish and keep trust by exchanging the long lived root certificate signer as opposed to the short lived (1 year) signer of the personal certificates.  Additionally the chained certificate provides flexibility surrounding the scalability issues in the flexible management configurations.

WebSphere® Support Technical Exchange

3

IBM Software Group

Chained Certificates (cont.)  A chained certificate is a certificate signed by another certificate other than yourself, known as a root certificate.

WebSphere® Support Technical Exchange

4

IBM Software Group

Chained Certificates (cont.)  Chained Certificate Attributes - Self-Signed Root Certificate - Alias: root - DN : CN=${hostname}, OU= Root Certificate, OU=, OU=, O=IBM,C=US - Validity Period: 20 years - KeyStore: DmgrDefaultRootStore NodeDefaultRootStore  Chained Certificate (Signed by root certificate) • Alias: default • Issued to DN: CN=${hostname}, OU=, OU=,O=IBM,C=US • Issued by DN: CN=${hostname}, OU= Root Certificate, OU=, OU=, O=IBM,C=US • Validity Period: 1 year • KeyStore: CellDefaultKeyStore NodeDefaultKeyStore

WebSphere® Support Technical Exchange

5

IBM Software Group

Chained Certificates (cont.)  New console panels and task provided to create chained certificates  SSL certificate and key management > Key stores and certificates > > Personal certificates > Create Chained Certificate  Chained certificate can only be signed by a certificate in the DefaultRootStore.

WebSphere® Support Technical Exchange

6

IBM Software Group

Chained Certificates (cont.)  Presentation text

WebSphere® Support Technical Exchange

7

IBM Software Group

Chained Certificates (cont.)  During profile creation users will have the opportunity to make decisions about the servers default certificates.  Available on the profile creation advanced path  Customize the DN of the default signing certificate and default certificate.  Set the life span of the signing certificate and default certificate  Import a certificate to be the root signing certificate or default personal certificate  Provide a custom password for the key stores created during profile creation. • This password applies to ALL key stores created

WebSphere® Support Technical Exchange

8

IBM Software Group

Chained Certificates (cont.)

WebSphere® Support Technical Exchange

9

IBM Software Group

Chained Certificates (cont.)

WebSphere® Support Technical Exchange

10

IBM Software Group

Chained Certificates (cont.)

WebSphere® Support Technical Exchange

11

IBM Software Group

Chained Certificates (cont.)

WebSphere® Support Technical Exchange

12

IBM Software Group

Renewing Certificates  Renews a certificate. Creates a new certificate with all the information used to create the original certificate (DN, keySize, Validity). Old signers found in the configuration are either replaced or kept in the configuration depending on the option specified.  Renew can only be performed on self-signed certificates and chained certificates.  Externally signed CA certificates must be renewed manually by an administrator.

WebSphere® Support Technical Exchange

13

IBM Software Group

Renewing Certificates (cont.)  Can be done from the console SSL certificate and key management > Key stores and certificates > > Personal certificates > Select a personal certificate Select renew  For scripting the renewCertificate task can be used.  AdminTask.renewCertificate('-keyStoreName myKS -certificateAlias testCertificate')

WebSphere® Support Technical Exchange

14

IBM Software Group

Renewing Certificates (cont.)

WebSphere® Support Technical Exchange

15

IBM Software Group

Personal Certificate Requests (CA signed)  Personal certificate requests are temporary place holders for certificates that will be signed by a certificate authority (CA)  The private key is generated during the certificate request generation, but only the certificate is sent to the CA. The CA generates a new certificate, signed by the CA.  SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificate requests > New...

WebSphere® Support Technical Exchange

16

IBM Software Group

Personal Certificate Requests (cont.)

WebSphere® Support Technical Exchange

17

IBM Software Group

Personal Certificate Requests (cont.)

WebSphere® Support Technical Exchange

18

IBM Software Group

Personal Certificate Requests (cont.) -----BEGIN NEW CERTIFICATE REQUEST----MIIC7zCCAdcCAQAwejELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTc4NzU4MQ4wDAYDVQQIEwVUZXhh czEPMA0GA1UEBxMGQXVzdGluMQwwCgYDVQQKEwNJQk0xDDAKBgNVBAsTA1NXRzEeMBwGA1UEAxMV YnJldHRvLmF1c3Rpbi5pYm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn8Ip zN4NmLzYkIwvYYp/zv2P1wk3zcDwWgX1aWelcwJeyw0tbT6/TaCjGG0w+BvOkMvf3GF/8cV6vxZN U1FW3ubs6zSpxrGIZhUuzWPxibtOs8W4Um4mN1WHEDYPnpDjv9/EqfAkki4sQsK69E2VKi1lXm1l 00tc/FLiuFyqVBoTe5+t3UxET18aNmzpx2AiAbDYyg/fdMbfbfUQY+7F9IpDUbGVMdzyLYBI1Zme 926nKLNQDab/UxDXBioooUW7Oo+J0SpOZLj2Y09w1ZCrQsHT+Qgk2fWvkB/U5YnvoE6quw4Ku5Tn MtNIVqEDCjjKHvgwPRQUOn+sBUW61LwZ+QIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4E FgQUiAlxceczNWGUFn63zeUiQK6dBJAwDQYJKoZIhvcNAQEFBQADggEBAFKjq9eAuSZzkMDr4M6i 9rU7+s+9Kc/7XcSHnFqLO3wWfP8ScoiOuiRPbadyGuyX0VVTwAtGiaJUS381ARl3s7BanY9BVH0y +gtat/uky2uX+5iY5WyH8xLUQ8Vsdpsxk+ndndC6yRP8YyC7uugqyOUbwTp/iTu97zNEsOfnlJZh dPR+Dmoyke+XAUfZWgHblNhcZ2ePHAwqKDPY+J4K5wiTTLiM0VPySD9ck11WO1gkxtY+s2j72AaA lebB+JwJMAZ1sip1bkvPw1gMwRVA14ZgnYKDPaUM3hROKKpXgjBgNUICNwPzVQAf9BjlSjPc5tt/ 6Nwt9KqmnZgDCPdBgeY= -----END NEW CERTIFICATE REQUEST-----

WebSphere® Support Technical Exchange

19

IBM Software Group

Personal Certificate Requests (cont.)  When a certificate authority (CA) receives a certificate request, it issues a new certificate that functions as a temporary placeholder for a CAissued certificate. A keystore receives the certificate from the CA and generates a CA-signed personal certificate that WebSphere® Application Server can use for Secure Sockets Layer (SSL) security.

WebSphere® Support Technical Exchange

20

IBM Software Group

Personal Certificate Requests (cont.)  WebSphere Application Server can receive only those certificates that are generated by a WebSphere Application Server certificate request. It cannot receive certificates that are created with certificate requests from other keystore tools, such as iKeyman and keyTool. SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates > Receive certificate from CA

WebSphere® Support Technical Exchange

21

IBM Software Group

KeyStores 

Cell (managed): profile_root/config/cells/cell_name/key.p12 profile_root/config/cells/cell_name/trust.p12



Node (managed): profile_root/config/cells/cell_name/nodes/node_name/key.p12 profile_root/config/cells/cell_name/nodes/node_name/trust.p12



Each profile also has (unmanaged): profile_root/etc/key.p12 profile_root/etc/trust.p12

WebSphere® Support Technical Exchange

22

IBM Software Group

KeyStores (cont.)  SSL certificate and key management > Key stores and certificates

WebSphere® Support Technical Exchange

23

IBM Software Group

KeyStores (cont.)  SSL certificate and key management > SSL configurations

WebSphere® Support Technical Exchange

24

IBM Software Group

KeyStores (cont.)  SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings

WebSphere® Support Technical Exchange

25

IBM Software Group

New KeyStores  DefaultRootStore  Key store to hold self signed root certificates. Chained certificate can only be created using root certificates from this key store.  root-key.p12  DefaultSignersStore  Holds all signer certificates that get added to any key store created. By default the root signer is included.  default-signers.p12  DefaultDeletedStore  Certificates deleted from other key stores are temporarily stored in this key store.  deleted.p12  RSA Key Stores  rsatoken-root-key.p12  rsatoken-key.p12, rsatoken-trust.p12

WebSphere® Support Technical Exchange

26

IBM Software Group

New KeyStores (cont.)  Default Signers Key Store  The DefaultSignersStore contains all signer certificates added by customers that they wish to be added to newly created keystores.  This can be use to establish trust at the time of creating a new key store, saving multiple import steps.  Dummy signers not included by default • Dummy signers still shipped with the product, can be added manually though not recommended

WebSphere® Support Technical Exchange

27

IBM Software Group

New KeyStores (cont.)  DefaultDeletedStore  Created to hold deleted certificates.  Allows users to restore or permanently delete a certificate.  Requests to delete a certificate will move the certificate to the DefaultDeletedStore. The deleted certificate will be stored with the alias name “keystorename_alias_uniquenum”.  Certificate Expiration Monitor will clean out the DefaultDeletedStore.

WebSphere® Support Technical Exchange

28

IBM Software Group

Certificate Expiration Monitor  Add the ability to replace/renew the new certificate types. Chained certificates that we have a root in the DefaultRootStore.  Handle expiring root certificates. Root certificate expiring will require renewing of all certificates that are created with that root.  Clean out the deleted key store.

WebSphere® Support Technical Exchange

29

IBM Software Group

Certificate Expiration Monitor Output **** Subject: Expiration Monitor ****; Hostname: bretto Profile UUID: Dmgr01-bretto Process type: DeploymentManager *** CERTIFICATES WITHIN THE 90 DAYS OF THE CERTIFICATE EXPIRATION THRESHOLD (MAY BE REPLACED WITHIN 90 DAYS) ***; CWPKI0714I: The certificate expiration monitor has recently run and discovered that the certificates, which are listed in associated messages, will be replaced within the next 90 days. This replacement is based on the configured policy to automatically replace expiring self-signed certificates 60 days prior to expiration. This notification is informs you that problems might arise when the certificates are automatically replaced. CWPKI0715I: In some cases, automatically replacing certificates can cause outages for Web server plugins operating on unmanaged nodes. In such a situation, the plug-in will be unable to contact the application servers over HTTPS because it will be using signers for certificates that have been replaced by the automatic replacement process. To prevent what may be and serious outage you should act before the scheduled replacement date and replace the expiring certificates and update the plug-in kdb to use the new signers. CWPKI0719I: The test personal certificate in the "TestKeyStore((cell):brettoCell01)" keystore is due to expire on July 16, 2012 and might be replaced after the May 17, 2012 threshold date.

WebSphere® Support Technical Exchange

30

IBM Software Group

Summary  Chained Certificates  Renewing Certificates  Personal Certificate Requests  KeyStores  Certificate Expiration Monitor

WebSphere® Support Technical Exchange

31

IBM Software Group

Additional WebSphere Product Resources 

Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: http://www.ibm.com/software/websphere/support/supp_tech.html



Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: http://www.ibm.com/developerworks/websphere/community/



Join the Global WebSphere User Group Community: http://www.websphere.org



Access key product show-me demos and tutorials by visiting IBM ® Education Assistant: http://www.ibm.com/software/info/education/assistant



View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: http://www.ibm.com/software/websphere/support/d2w.html



Sign up to receive weekly technical My Notifications emails: http://www.ibm.com/software/support/einfo.html

WebSphere® Support Technical Exchange

32

IBM Software Group

Connect with us! 1. Get notified on upcoming webcasts Send an e-mail to [email protected] with subject line “wste subscribe” to get a list of mailing lists and to subscribe

2. Tell us what you want to learn Send us suggestions for future topics or improvements about our webcasts to [email protected]

3. Be connected! Connect with us on Facebook Connect with us on Twitter

IBM Software Group

Questions and Answers

WebSphere® Support Technical Exchange

34