Question & Answer
Question
Why are IBM WebSphere DataPower device types 4195 (XI50B) and 9235 showing the following warnings in the logs on pre-5.0.0.0 firmware: 01:02:03 cert-monitor warn 383 0x806000e1 cert-monitor (Certificate Monitor): Certificate 'system-ssl-ca-cert' is expired 01:02:03 cert-monitor warn 383 0x806000e1 cert-monitor (Certificate Monitor): Certificate 'system-cert' is expired Or in my browser I see this: The certificate expired on 6/6/2013 4:13 PM. Note: Prior to June 6, 2013, the warnings indicate the certificate is about to expire.
Cause
Before firmware release 5.0.0.0 the DataPower firmware on 4195 and 9235 platforms shipped with two certificates (system-ssl-ca-cert and system-cert) that expire on June 8, 2013 and June 6, 2013 respectively.
By default the DataPower WebGUI and XML Management Interface use these two certificates for SSL connectivity to those interfaces. Users can and should create and configure their own keys and certificates for SSL use on these interfaces.
By default the DataPower WebGUI and XML Management Interface use these two certificates for SSL connectivity to those interfaces. Users can and should create and configure their own keys and certificates for SSL use on these interfaces.
Answer
After June 6, 2013 some SSL clients may be unable to connect to the WebGUI and XML Management Interface if those interfaces are still using the default SSL configuration. The interfaces will not go down, but they will be presenting expired certificates which will cause strict SSL clients to fail the SSL handshake.
Note: As long as the Objects>Crypto Configuration>Crypto Certificate Monitor option for Disabled Expired Certificates is turned OFF, the default setting, the certificate will continue to be used.
The Certificate Monitor may also warn about these two certificates as it gets near June 6, 2013. These warnings will only occur on firmwares that lack the fix for APAR IC91324.
The certificate expirations may not cause problems, but if you do experience any issues then one of the two following approaches should solve the problem by using a new certificate.
1) Configure your own SSL credentials in the WebGUI and XML Management Interface:
- For the WebGUI certificate, see replacing the WebGUI certificate if the WebGUI is still up and running. See DataPower WebGUI down due to an expired or invalid certificate if the WebGUI is down.
- For the XML Management Interface certificate, the instructions are similar but you go to the Control Panel -> Network -> Management -> XML Management Service and click on the Advanced tab.
2) The 5.0.0.1 and later firmware versions include a certificate with a much later expiration date. It is recommended to upgrade to 5.0.0.8 or later firmware versions to obtain other critical APAR fixes on the 5.0.0 firmware.
This technote discusses some details you may encounter when using the new certificate.
It is highly recommended and a Best Practice that you configure the WebGUI and XML Management Interface to use your own SSL credentials rather than relying on any default certificates.
Additional notes or considerations to be aware of:
If you have any problems or questions please contact IBM DataPower support.
Note: As long as the Objects>Crypto Configuration>Crypto Certificate Monitor option for Disabled Expired Certificates is turned OFF, the default setting, the certificate will continue to be used.
The Certificate Monitor may also warn about these two certificates as it gets near June 6, 2013. These warnings will only occur on firmwares that lack the fix for APAR IC91324.
By default these two certificates are involved in the SSL configurations of:
- the web-mgmt services WebGUI
- the XML Management Interface
- other services which use these interfaces, including user created tooling using AMP, SOMA or WAMT
The certificate expirations may not cause problems, but if you do experience any issues then one of the two following approaches should solve the problem by using a new certificate.
1) Configure your own SSL credentials in the WebGUI and XML Management Interface:
- For the WebGUI certificate, see replacing the WebGUI certificate if the WebGUI is still up and running. See DataPower WebGUI down due to an expired or invalid certificate if the WebGUI is down.
- For the XML Management Interface certificate, the instructions are similar but you go to the Control Panel -> Network -> Management -> XML Management Service and click on the Advanced tab.
2) The 5.0.0.1 and later firmware versions include a certificate with a much later expiration date. It is recommended to upgrade to 5.0.0.8 or later firmware versions to obtain other critical APAR fixes on the 5.0.0 firmware.
This technote discusses some details you may encounter when using the new certificate.
It is highly recommended and a Best Practice that you configure the WebGUI and XML Management Interface to use your own SSL credentials rather than relying on any default certificates.
Additional notes or considerations to be aware of:
| WSRR The use of WSRR Subscription's "automatic" synchronization will eventually fail when the certificate for the XML Management Interface expires and WSRR will not be able to generate change notifications to DataPower. The corrective steps are to configure your own credentials for the XML Management interface as described earlier in this tech note, and then to re-configure the DataPower certificate material in the WSRR server with these new credentials. Please refer to the InfoCenter and these articles for how to configure the WSRR server: IBM developerWorks article with step-by-step detail under "Configuring WSRR" section: WSRR Information Center topic on adding DataPower certificates: ITCAM agent for DataPower Connectivity may fail due to expiration of the certificate when using the ITCAM agent for DataPower. Please refer to the agent user guide for how to configure the "custom SSL proxy profile" |
If you have any problems or questions please contact IBM DataPower support.
[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;3.8.2","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSQ3J2","label":"WebSphere DataPower B2B Appliance XB60"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"","label":""}],"Version":"4.0.2;4.0.1;3.8.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS6L4E","label":"WebSphere DataPower Integration Appliance XI50"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"4.0.2;4.0.1;3.8.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSFGB5","label":"WebSphere DataPower Integration Blade XI50B"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"4.0.2;4.0.1;3.8.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS6L6N","label":"WebSphere DataPower XML Accelerator XA35"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"4.0.2;4.0.1;3.8.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS6L5J","label":"WebSphere DataPower XML Security Gateway XS40"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"4.0.2;4.0.1;3.8.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSNHP3","label":"WebSphere DataPower Low Latency Appliance XM70"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"3.8.2;4.0.1;4.0.2","Edition":"","Line of Business":{"code":"","label":""}}]
Was this topic helpful?
Document Information
Modified date:
27 April 2021
UID
swg21633306