IBM Support

Tivoli Integrated Portal self-signed certificate expiration warning

Troubleshooting


Problem

Self-signed certificate in TIP expires periodically and should be renewed to avoid application outage. Message in SystemOut.log: The default personal certificate in the "NodeDefaultKeyStore((cell):TIPCell:(node):TIPNode)" keystore is due to expire

Symptom

The SystemOut.log will have below message before the certificate is expired:

CWPKI0714I: The certificate expiration monitor has recently run and discovered that the certificates, which are listed in associated messages, will be replaced within the next 90 days. This replacement is based on the configured policy to automatically replace expiring self-signed certificates 60 days prior to expiration. This notification is informs you that problems might arise when the certificates are automatically replaced.

CWPKI0715I: In some cases, automatically replacing certificates can cause outages for Web server plug-ins operating on unmanaged nodes. In such a situation, the plug-in will be unable to contact the application servers over HTTPS because it will be using signers for certificates that have been replaced by the automatic replacement process. To prevent what may be and serious outage you should act before the scheduled replacement date and replace the expiring certificates and update the plug-in kdb to use the new signers.

CWPKI0719I: The default personal certificate in the "NodeDefaultKeyStore((cell):TIPCell:(node):TIPNode)" keystore is due to expire on Mar 23, 2014 and might be replaced after the Jan 22, 2014 threshold date.
CWPKI0719I: The default personal certificate in the "NodeRSATokenKeyStore((cell):TIPCell:(node):TIPNode)" keystore is due to expire on Mar 23, 2014 and might be replaced after the Jan 22, 2014 threshold date.


Checking for expired certificate and certificates in the 60 days threshold period.

Resolving The Problem

1. Login into TIP console.
2. Launch the Websphere Admin Console:

    Settings -> WebSphere Administrative Console
3. Go to:
    Security -> SSL certificate and key management -> Key stores and certificates
    Click NodeDefaultKeyStore -> Personal certificates
4. Select the certificate you want to renew and then click on renew button to renew it. See below screen shot for reference. After this warning messages should not appear any more in SystemOut.log file.




By default the self-signed certificate on each node expires 365 days after creation.

[{"Product":{"code":"SSRLR8","label":"Tivoli Components"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Tivoli Integrated Portal (TIP)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"2.1;2.2","Edition":"All Editions","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

swg21659578

Page Feedback