Updating WebSphere Application Server's SSL Certificates' key bit values for InfoSphere Information Server

Resolving The Problem

Depending on the version of WebSphere, there are two possible solutions to increase the key bit value for the SSL certificates.

Convert existing Certificates:

If WebSphere Application Server 8.5.0.0 or higher or WebSphere Application Server 7.0.0.23 or higher is being used, it is possible to convert existing certificates to use a larger bit key value.

The below ConvertSSLCert.py jython script will assist in switching all certificates to use a 2048 bit key value. If you choose to have a higher bit key value, edit the jython script as appropriate.

To update the SSL certificates, download the attached script to the location of the Information Server services tier.

ConvertSSLCert.py

If the Services tier is running on Windows, run the following command:

<WAS_install_dir>\AppServer\bin\wsadmin.bat -lang jython -f ConvertSSLCert.py convert
If the Services tier is running on Unix, run the following command:
<WAS_install_dir>/AppServer/bin/wsadmin.sh -lang jython -f ConvertSSLCert.py convert

The command will prompt for the WebSphere Administrator ID and Password

A restart of the WebSphere Application Server is not required. All certificates will be converted to use a 2048 bit key value. For the iiscert, please follow the steps documented in Step 2 of the technote Replacing Certificate for Communication from Metadata Interchange Agents to IBM InfoSphere Metadata Asset Manager

Recreate Certificates:

If WebSphere Application Server 7.0.0.21 or earlier is being used, the certificates must be recreated with the desired bit key value.
First, add the following following properties to your WebSphere Application Server configuration.
com.ibm.ssl.rootCertKeySize
com.ibm.ssl.defaultCertReqKeySize
To do this, Login to the WebSphere Application Server Administrative Console.
Navigate to Security, Global Security and Click on "Custom Properties"

Click on "New" and add both:
com.ibm.ssl.rootCertKeySize
and
com.ibm.ssl.defaultCertReqKeySize
Setting the value to 2048 or whatever the desired bit key value is.

Once the properties are added, stop WebSphere.
Move the key.12, trust.12, and root-key.p12 aside from:
<WAS_install_dir>AppServer/profiles/InfoSphere/config/cells/HOSTNAMENode01Cell/nodes/HOSTNAMENode01
If on Unix:
mv trust.p12 trust.12.bak
mv key.p12 key.12.bak
mv root-key.p12 root-key.p12.bak
If on Windows:
move trust.p12 trust.12.bak
move key.p12 key.12.bak
move root-key.p12 root-key.p12.bak

Restart WebSphere
WebSphere will automatically regenerate 2048 bit key values for the self-signed certificates in the NodeDefaultKeyStore.
After you confirm the new certificates have been generated correctly, remove the *.bak files.

If you are using Information Server 8.5 or later, run UpdateSignerCerts.sh (Unix) and UpdateSignerCerts.bat (Windows) on all tiers: Client, Services, Engine to update the keystores with the new certificate.
UpdateSignerCerts is located in:
<IS_install_dir>ASBNode/bin
<IS_install_dir>ASBServer/bin

To update the iiscert, please refer to the entire technote Replacing Certificate for Communication from Metadata Interchange Agents to IBM InfoSphere Metadata Asset Manager
Make sure to create the new certificate with the desired bit key value.