IBM Data Management Community Connect with Db2, Informix, Netezza, open source, and other data experts to gain value from your data, share insights, and solve problems. Join / Log in
I have a DMC 3.1.10 install running under Linux with local defined users. The https port uses the default self signed certificate from the install and the browser complains about the self-signed certificate every now and then.
So I wanted to replace the self-signed certificate by a certificate signed by our local CA. First I gave the wlp server his proper hostname accoring to this docs https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-setting-default-host-name-server (setting the defaultHostname variable in server.xml) and then followed the description at https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=securing-enabling-https-db2-data-management-console.
I created the CSR via Java keytool, sent it to our CA and got my CSR signed back. After I entered the keystore details (wlp.keystore.type, wlp.keystore.location, wlp.keystore.password with freshly encrypted password) in <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties I restarted the server and -- voila -- got a nice https connection with my certificate in my browser. Looks good!
But then I was not able to sign-on anymore. My local super admin and password didn't work.
So I stopped the server, reverted the three settings in bootstrap.properties (BTW, why on earth does this file get rewritten and stripped of comments?!?!) to the old settings and then I was able to sign-on again.
@Cintia Ogura what else needs to be modified? Is the local user registry of DMC stored in the default key.p12 file? Do I have to copy over the login user to my new keyring? But with what (default?) password can I access this keystore to read the entries? Or do I have to reset the authentication config according to https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=configuration-resetting-authentication ?
The currently described procedure in the docs is not complete. The description from your huge slide deck does not detail enough in this case.
Has anyone else gone through this?
This issue may happen for some certificates and disable HTTP port by set the port number to -1 in configuration file at same time. Please try the latest version (version 3.1.12) of DMC which should have mitigated this issue.
Yan Hao Zhang
Hi Yan Hao,
thanks! I have updated to 3.1.12 and the problem was gone! The DMC servers are now running with TLS certificates signed by the customers CA.