Overview

Skill Level: Beginner

As we know IIS 11.x mandatory supports over secured protocol for all of its thick and thin client applications, projects migration from older version to 11.x, shall make use of this procedure to register the organization certificate with IBM IIS keystore.

Step-by-step

  1. Request Private Key

    • Collect the Private key for the respective environment certificates from site owner (IBM), the private Key should be in CSR format.
      • Somename.csr -> Base certs
    • These base certificate‚Äôs is required for security to team to build the¬†customer self/vendor signed server certificates.
    • IBM provide only self signed certificate, its¬†customer¬†responsibility to share the IDB public/Internal certificates to IBM to install in InfoSphere application.

     

  2. Parameters for Cert Creation

    Mandatory :

    • Need to share the base certificates & FQDN (fully qualified domain name) to security team.
      Fully Qualified Domain Name(s), is written with the host name and the domain name, including the top level domain
    • Ex: [host name].[domain].[tld]
    • These FQDN(s) are added in Certificate ‚ÄúSubject alt name‚ÄĚ option.
    • Collect the certificates from IDB Security team [Root, interim, Server] , with windows & Unix flavour.
    • Verify ‚ÄúSubject alt name‚ÄĚ values against the provided value, ‚ÄúExpiration date‚ÄĚ, ‚ÄúIssued By‚ÄĚ, ‚ÄúIssued To‚ÄĚ in server cert detail values, before sharing it to app owner (IBM).
    • Share the¬†customer CA signed Certificates to app owner (IBM) / WAS asministrator.
  3. Cert Registration in IIS Environment

    • App owner (IBM) / WAS admin need to install/ register the certificate in WAS (WebSphere ¬† application server) of the service tier machine. ¬†
      • Java Key store :
                Root & Interim Certs in Signer certs & Server cert in Personal certs
      • WAS Trust store :
               Root & Interim Certs in Signer certs & Server cert in Personal certs
    • Service machine are in Linux OS, certificate installation will be respective to Unix flavour.
    • WAS admin should ensure the no users session is active & no payload/ jobs running in DS Operation console for the specific environment.
    • Admin will restart the WAS Nodes after certificate installation.
  4. Cert Registration in Client Machine

    • Log in to Client Machine, add the Certs¬† Microsoft management Console, use account with admin privileges & cert registration should be based on computer account/local machine not user account basis.
    • Close all the browsers before doing this activity.
       
      • Certs need to be added in this order -> [Root, Interim & Server]Root¬† ¬† ¬† ¬†-> Trusted Root Certification Authorities
        Interim   -> Intermediate Certification Authorities
        Server    -> Personal & Trusted Root Certification Authorities
    • Launch IE, Navigate to Tools -> Internet options -> Advanced -> security
      • Uncheck the below 2 options¬†
        • check for publisher‚Äôs certificate revocation
        • check for server certificate revocation
    • Restart the Client Machine.
    • This activity is only applicable for system‚Äôs uses external network
  5. Test Cert Registration

    • Testing shall be conducted once WAS restart & Client VM restart is done.
    • Ensure the FQDN is accessible from Client/IDB machine, using telnet feature.
    • Telnet feature shall be enabled in ‚ÄúWindows firewall activation‚ÄĚ section.
    • If FQDN is not reachable, ensure the FQDN entry is made in Host file (sys 32 files).
    • Need admin access to make entry in host file else copy, edit/add and replace the host file.
    • If FQDN is not reachable, ensure the F/W& Ports are open to target machine.
    • If site is reachable, there should be no certificate error.
  6. Things to Consider

    • Root, Interim & Server Certs should be encrypted using SHA 256 algorithm, as a minimum requirement at least interim & server certs should be SHA 256 algorithm.
    • Certificates encrypted with SHA 1 is no longer supported in future.
    • It is¬†customer responsibility to notify the app owner to update the new certificates if certificate validity date is expired (act based on security team protocol)
    • ASB Agents restart required, it depends upon the¬†customer request to IBM / WAS admin.
    • Request VM owner or windows admin to perform ‚Äú4.Cert Registration in Client Machine‚ÄĚ activity, provide the certs to respective team.

     

    All Steps has been executed by Tata Consultancy Services – Alliance & Technology unit Team, for various clients.

Join The Discussion