Once there was a requirement for me to delete an existing soon to expire SSL certificate from Websphere commerce server. I did with just delete option that we have for signer and personal certificate. But the problem occurred when stopping the server. The personal certificate reference was used in Dynamic end point configuration while it was deleted from key store, which gave error while stopping the server and the server did not start successfully and the test environment was all messed up:). Luckily I had a config backup, which I used it and the environment became all fine. But keep in mind before modifying anything in WAS admin console be sure to take config folder back up. The config folder can be found in WCS installable folder as for ex: C:\IBM\WebSphere\CommerceServer70\config
Steps to delete SSL certficate from WAS admin console in non clustered environment.
1) First delete the certificate reference from Dynamic endpoint configuration.
SSL certificate and Management -> Dynamic
outbound end point SSL configiguration -> Select the required NodeDefaultConfiguration entry and delete.
2) Go to cellDefaultkeystore -> personal certificate -> Select the required certificate and choose replace--> select both option for delete in the next page -> then click apply.
2) Go to cellDefaultkeystore -> personal certificate -> Select the required certificate and choose replace--> select both option for delete in the next page -> then click apply.
3) Go to cellDefaultTruststore -> signer certificate -> If there is any signer certificate select it and delete.
4) Go to nodeDefaultTruststore -> signer certificate-> select the required signer certificate and delete.
4) Go to nodeDefaultTruststore -> signer certificate-> select the required signer certificate and delete.
5) Go to nodeDefaultkeystore --personal certificate -> Select the required certificate and choose delete(need not replace
here)
6) check all the 4 places (signer and personal - node and cell) in keystore and truststore the certificate entry should not be there.
6) check all the 4 places (signer and personal - node and cell) in keystore and truststore the certificate entry should not be there.
7) In dynamic endpoint try creating new entry (don't save it)
and c if the aliases dropdown should not contain the certificate name that you
deleted. If it still contains the personal certificate name that you have deleted then it means it has not
reflected in security.xml and certificate deletion is not done properly and you might get error while stopping server and face issues in the application.
In Non clustered environments it's more simpler:
1) First delete the certificate reference from Dynamic endpoint configuration.
SSL certificate and Management -> Dynamic outbound end point SSL configiguration -> Select the required NodeDefaultConfiguration entry and delete.
In Non clustered environments it's more simpler:
1) First delete the certificate reference from Dynamic endpoint configuration.
SSL certificate and Management -> Dynamic outbound end point SSL configiguration -> Select the required NodeDefaultConfiguration entry and delete.
2) Go to nodeDefaultTruststore -> signer certificate-> select the required signer certificate and delete.
3) Go to nodeDefaultkeystore --personal certificate -> Select the required certificate and choose replace--> select both
option for delete in the next page -> then click apply.
Do not forget to delete the signer entry if found in nodeDefaultkeystore / cellDefaultkeystore.
No comments:
Post a Comment