Certificate for HTTPS is expired.

Symptom

End users report access to Website via HTTPS does not respond.

Cause

The certificate presented for front facing HTTPS access has expired.

This can be verified as follows:

1) Locate the following properties in webseald-instance.conf,

[ssl]
webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdb
webseal-cert-keyfile-label = WebSEAL-Test-Only

2) Display the details of the certificate,

cd /var/pdweb/www-default/certs
/opt/PolicyDirector/sbin/dispkdb -f pdsrv.kdb

Certificate data:
label: WebSEAL-Test-Only <=== Label from conf file ===>
is default: no
key size: 1024
serial number: 3b8d2986
issuer DN: CN=Test-Only,OU=Tivoli Systems,O=IBM,C=US
subject DN: CN=Test-Only,OU=Tivoli Systems,O=IBM,C=US
issued on: Tue Aug 28 12:42:30 2001
expires on: Sat Aug 27 12:42:30 2011 <=== Note Expiration Date ===>

.
.
Resolving the problem

Update the webseal-cert-keyfile-label property with the label of a valid cert.

While waiting for a new certificate, the following commands may be used to create
a self-signed certificate in order to restart service.

cd /var/pdweb/www-default/certs

cp pdsrv.kdb pdsrv.kdb.org

cp pdsrv.sth pdsrv.sth.org

##
## Ensure the CN value in the command correctly matches how the Website is accessed.
## Set the -expire option as required. The command below creates a cert good for 10 years.
## The default password for pdsrv.kdb is pdsrv.
##
gsk7capicmd -cert -create -db pdsrv.kdb -pw pdsrv -size 1024 \

-dn "CN=hostname.domain.com,O=domain,C=US" -label hostname -expire 3650

Edit /opt/pdweb/etc/webseald-default.conf and change the following

[ssl]
webseal-cert-keyfile-label = hostname

Restart WebSEAL.

This will need to be done on all system using the WebSEAL-Test-Only (Expired) cert.