Abstract
The personal certificate called "WebSphere Plugin Key" within the plugin-key.kdb that is shipped with the WebSphere Plugin install will expire on April 26, 2012.
Content
When the plugin is first installed, it places a copy of the plugin-key.kdb file within the [Plugin_Home]/etc directory. When the plugin is configured to an installed web server, it will pull a copy of this file from the [Plugin_Home]/etc location and place it within the [Plugin_Home]/config/{webservername} directory.
This key file contains a personal certificate that is set to expire by April 26, 2012. Action may be required to maintain encryption between the plugin and application server(s). Please read this documentation carefully to determine if you are affected and what steps may be needed to correct this situation.
The personal certificate called "WebSphere Plugin Key" within the plugin-key.kdb that is shipped with the WebSphere Plugin install will expire on April 26, 2012.
Content
When the plugin is first installed, it places a copy of the plugin-key.kdb file within the [Plugin_Home]/etc directory. When the plugin is configured to an installed web server, it will pull a copy of this file from the [Plugin_Home]/etc location and place it within the [Plugin_Home]/config/{webservername} directory.
This key file contains a personal certificate that is set to expire by April 26, 2012. Action may be required to maintain encryption between the plugin and application server(s). Please read this documentation carefully to determine if you are affected and what steps may be needed to correct this situation.
I'd strongly recommend that you check this Technote, if you use IBM WebSphere Application Server and the WebSphere Plugin.
In our environment, I used the GSK command, as the IKeyMan GUI was not available to me on my headless Linux boxes: -
$ /opt/IBM/HTTPServer/bin/gsk7cmd -cert -list -db /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin\-key.kdb -pw WebAS
This gave me my cell-level certificate e.g. CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US which I then checked for expiration as follows: -
Label: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Key Size: 1024
Version: X509 V3
Serial Number: 11 FA EF 15 F5 2F E1 18
Issued by: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Subject: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Valid: From: Thursday, 20 January 2011 12:05:44 o'clock GMT To: Friday, 16 January 2026 12:05:44 o'clock GMT
Fingerprint: AE:2A:DC:10:6C:4A:18:A3:A0:46:A3:FD:EB:6E:2E:D0:8A:D2:CE:66
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled
Key Size: 1024
Version: X509 V3
Serial Number: 11 FA EF 15 F5 2F E1 18
Issued by: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Subject: CN=Portal, OU=Root Certificate, OU=PortalCell, OU=PortalNode, O=IBM, C=US
Valid: From: Thursday, 20 January 2011 12:05:44 o'clock GMT To: Friday, 16 January 2026 12:05:44 o'clock GMT
Fingerprint: AE:2A:DC:10:6C:4A:18:A3:A0:46:A3:FD:EB:6E:2E:D0:8A:D2:CE:66
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled
Just because my environment is OK does NOT mean that yours is …. go check, go check NOW
No comments:
Post a Comment