Renew the expiring certificates for Maximo 7.5 / 7.6 from WebSphere 7 / 8.5.5

March 29, 2016 PauloMacaraeg

If you are using an older fix pack level of WebSphere 7 or 8.5.5 (WebSphere 7.0.0.34 / 8.5.5.3 or earlier) and experienced an outage due to expired default certificates, first thing you will need to do is to renew them. Default WebSphere certificates should be renewed automatically. However, in some cases they were not.

 

"When certificate expiration monitor finds expired certificate, it examines if the certificate is signed by WebSphere Application Servers root certificate or not. If it is signed by its root, the expired certificate is renewed and it replaces the expired one. In the case where a root certificate is chained certificate, WebSphere incorrectly thinks expired certificate is not signed by WebSphere even though it is, and does not renew or replace it."

 

From the Systemout.log file of the nodeagent and deployment manager, you will see the same traces below.

 

[3/14/16 7:22:20:332 PDT] 0000007d WSX509TrustMa E   CWPKI0312E: The certificate with subject DN CN=MXSYSTEMS, OU=ctgNodeCell01, OU=ctgNode01, O=IBM, C=US has an end date Mon Jan 11 11:17:18 PST 2016 which is no longer valid.
[3/14/16 7:22:20:336 PDT] 0000007d ORBRas        E com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl createSSLSocket Thread-135 JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security.  Reason: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016 javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

...

Caused by: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

...

Caused by: java.security.cert.CertPathValidatorException: The certificate expired at Mon Jan 11 11:17:18 PST 2016; internal cause is:
    java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

...

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 11 11:17:18 PST 2016

 

This issue was identified by WebSphere as APAR PI14178: CERTIFICATE MONITOR DID NOT RENEW CHAINED CERTIFICATE ( NOT IBM DEFAULT CHAINED CERTIFICATE) and has been fixed in WebSphere fix pack versions 7.0.0.35 and 8.5.5.4 or later.

 

IBM supports recommends using WebSphere 7.0 Fix Pack 35 or higher with Java SDK 1.6.0 SR12 Cumulative Fix with Maximo and Control Desk

 

http://www-01.ibm.com/support/docview.wss?uid=swg21578450

 

If an immediate fix is needed, then manually renewing the expired certificates is the solution.

 

Manually Renewing Certificates

 

  1. From WebSphere console, navigate to Security > SSL certificate and key management > Key stores and certificates.

    image

     
  2. Click CellDefaultKeyStore and NodeDefaultKeyStore, then go to Personal Certificates. If you have multiple nodes, you will have to do the same steps for all the nodes key store.
  3. Select the check box and click the Renew button.

    image
     
  4. Restart the WebSphere deployment manager and synchronize the nodes.

 

Previous Article
Cloning Maximo/ICD 7.6 is not supported
Cloning Maximo/ICD 7.6 is not supported

It has been more than a month since I wrote my last blog. In the previous versions of Maximo like Maximo 7....

Next Article
BiLog:  Maximo 7604, Acronyms and Result Set Export (RSE)
BiLog: Maximo 7604, Acronyms and Result Set Export (RSE)

There is a new button in 7.6.0.4.  Result Set Export.  Let's call him RSE .  (We like acronyms.  Remember B...

×

Want our latest news? Subscribe to our blog!

Last Name
First Name
Thank you!
Error - something went wrong!