IBM Support

Merging Plugin SSL Keystores After a Merge of plugin-cfg.xml Files

Technote (troubleshooting)


WebSphere supports the merging of Plugin-cfg.xml files for cases where there are multiple WebSphere BASE (stand alone) application servers (or mutliple Network Deployment Cell, ND Cells) and you want to use same webserver/plugin to route to all the BASE servers or ND Cells.

Each Plugin-cfg.xml has a related SSL keystore for that Plugin (plugin-key.kdb and .sth) that would need to contain the signer certs for each appserver it would route to. The plugin-cfg.xml merge tool does not combine or merge these keystores. The plugin-key.kdb used by the merged plugin-cfg.xml must contain the signer certs for all the appservers defined in it in order to support SSL handshake between Plugin and appserver. This technote covers one method to combine/merge the separate plugin-key.kdb files. Its presented in the form of an example scenario.


A need to merge plugin-key.kdb files as a result of merging of plugin-cfg.xml files.


Merging of plugin-cfg.xml files.


WebSphere Application Server environment where there are multiple BASE (stand alone) appservers or ND cells.

For our example scenario we have three BASE appservers named:

Note: These could also be 3 ND cells.

Resolving the problem

Each BASE appserver generates a plugin-cfg.xml and has a related set of keystores




The plugin-cfg.xml files are merged (manually or using the merge tool) into:


We need to create a MERGED-plugin-key.kdb and MERGED-plugin-key.sth file to be the keystore configured/defined in the MERGED-plugin-cfg.xml.

Each BASE keystore had a signer for the BASE appserver.
BASE1-plugin-key.kdb has a signer for BASE1 appserver.
BASE2-plugin-key.kdb has a signer for BASE2 appserver.
BASE3-plugin-key.kdb has a signer for BASE3 appserver.

We could create a new keystore file using the iKeyman cert tool but for this scenario we are going to just use one of the existing keystores. We will then open the other keystores, "extract" a copy of the signer cert and "add" it to the keystore we will use with the MERGED-plugin-cfg.xml.

For this scenario we are going to use the BASE1-plugin-key.kdb file as our keystore for the Merged Plugin.

Since these separate plugin-key.kdb files are under different BASE server or ND cell config repositories and consoles we cannot use the WebSphere Console SSL Management functions to manage the MERGED-plugin-cfg.xml keystore files. To manage the MERGED-plugin-cfg.xml keystore files we will need to use the iKeyman tool installed by Plugin or IBM HTTP Server (IHS webserver) on the webserver machine.

Copy the three BASE plugin-key.kdb files and their matching plugin-key.sth files.
to some folder on the webserver machine.

On the webserver machine startup the iKeyman tool and open BASE2-plugin-key.kdb.
Go to the Signer Certificates section of the keystore. Select the Signer cert for the BASE2 appserver. Use the "Extract" button to extact a copy of the signer into a .ARM file named BASE2-cert.arm.

Next, close the BASE2-plugin-key.kdb and open BASE3-plugin-key.kdb and perform the same actions to extract the singer into BASE3-cert.arm.

Once you have the two arm files open BASE1-plugin-key.kdb. Go to the Signer Certificates section of the keystore and use the "Add" button to add the signer from each ARM file.

Once BASE1-plugin-key.kdb has all the signers then copy BASE1-plugin-key.kdb and BASE1-plugin-key.sth to the path and file name defined in the MERGED-plugin-cfg.xml. Be sure you have renamed the file to the filename defined in the MERGED-plugin-cfg.xml.

As noted above you will not be able to use the console SSL tools to manage future updates to the MERGED-plugin-key.kdb file. You will need to continue to use the iKeyman tool. It is possible the original BASEx-plugin-key.kdb files under the webserver definitions (in WebSphere config repository) may have updated signers when appserver certs expire and are updated/replaced. You may be able to use the same technique to copy the new or updated signer into the MERGED-plugin-key.kdb but in general this process is one of extracting the signer cert from the appserver's keystore (Key.p12 or a .JKS keystore file). In either case you should be able to use the console SSL Management functions to extract the appserver signer cert into a cert.arm file which could then be copied to the webserver and iKeyman used to Add the signer cert into the MERGED-plugin-key.kdb.

Related information

pluginCfgMerge tool

Document information

More support for: WebSphere Application Server

Software version: 7.0, 8.0, 8.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Advanced, Base, Developer, Enterprise, Express, Network Deployment, Single Server

Reference #: 1621481

Modified date: 12 March 2013

Translate this page: