When using the -asExistingNode option on the addNode command,
you might be adding an existing node to a different machine. The
default Secure Sockets Layer (SSL) certificate of the node does not
contain the name of the machine the node is located on. In most scenarios,
the subject DN of the default certificate does not make a difference.
However, you might want to change the default certificate of the node
to contain the hostname of the node.
Before you begin
To replace the default certificate of a node, you must
create a new NodeDefaultKeyStore for the certificate and then replace
the old certificate with the new one.
The certificate created
by default on the WebSphere® Application
Server subjectDN is of the form cn=<hostname>, ou=<cell name>,
ou=<node name>, o=ibm, c=us. When creating a new certificate you
can also customize the subjectDN.
About this task
To create a new SSL certificate in the administrative console:
Procedure
- Click Security > SSL certificate and key management >
Key stores and certificates.
- Select the NodeDefaultKeyStore of the node you want to
change.
- Under Additional Properties, select Personal certificates.
- Under the Create pull-down, select Chained Certificate.
- Enter a certificate and alias name.
This can
be any name you choose as long as the alias does not already exist.
It is just a label to identify the certificate in the keystore.
- Enter a common name.
This is typically the hostname
the node is running on.
- Optional: Fill in any of the other Subject
DN related fields.
If you want the subject DN to look like
the default subjectDN on WebSphere Application
Server, then enter:
- IBM in the Organization field.
- <cell name>,ou=<node name> in
the Organization unit field.
- Under the Country or region pull-down, select US.
- You can use the defaults for Root certificate used to sign
the certificate, Key Size, and Validity Period or supply your own
values.
- Click Apply.
Note: You can also create
a new chained certificate using the createChainedCertificate command.
Read PersonalCertificateCommands command group for the AdminTask object
for more information.
You must now replace the old certificate
with the one you just created. The replace certificate option not
only replaces the old default certificate with a new one but also
replaces any occurrences of the signer of the old certificate with
the signer of the new certificate. The configuration is also checked
for references to the alias name of the old certificate and replaces
it with the alias name of the new certificate. To replace the old
certificate with the new one, complete the remaining steps.
- Click Security > SSL certificate and key management
> Key stores and certificates.
- Select the NodeDefaultKeyStore of the node you want to
change.
- Under Additional Properties, select Personal certificates.
- Select the default certificate of the node, usually called
default
.
- Click Replace.
- Select the certificate alias name for the certificate you
just created from the Replace with pull-down.
- Click Delete old Certificate after replacement.
- Click Apply.
Note: You can also create
a new chained certificate using the replaceCertificate command. Read
PersonalCertificateCommands command group for the AdminTask object
for more information.
What to do next
You can also replace default certificates in an entire
cell. Read Creating new SSL certificates to replace existing ones
in a cell for more information.