Db2

 View Only
Expand all | Collapse all

DMC login problem after replacing self signed https certificate

  • 1.  DMC login problem after replacing self signed https certificate

    IBM Champion
    Posted Wed November 29, 2023 06:57 AM

    I have a DMC 3.1.10 install running under Linux with local defined users. The https port uses the default self signed certificate from the install and the browser complains about the self-signed certificate every now and then.

    So I wanted to replace the self-signed certificate by a certificate signed by our local CA. First I gave the wlp server his proper hostname accoring to this docs https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-setting-default-host-name-server (setting the defaultHostname variable in server.xml) and then followed the description at https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=securing-enabling-https-db2-data-management-console.

    I created the CSR via Java keytool, sent it to our CA and got my CSR signed back. After I entered the keystore details (wlp.keystore.type, wlp.keystore.location, wlp.keystore.password with freshly encrypted password) in <dmchome>/wlp/usr/servers/dsweb/bootstrap.properties I restarted the server and -- voila -- got a nice https connection with my certificate in my browser. Looks good!

    But then I was not able to sign-on anymore. My local super admin and password didn't work.

    So I stopped the server, reverted the three settings in bootstrap.properties (BTW, why on earth does this file get rewritten and stripped of comments?!?!) to the old settings and then I was able to sign-on again.

    @Cintia Ogura what else needs to be modified? Is the local user registry of DMC stored in the default key.p12 file? Do I have to copy over the login user to my new keyring? But with what (default?) password can I access this keystore to read the entries? Or do I have to reset the authentication config according to https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=configuration-resetting-authentication ?

    The currently described procedure in the docs is not complete. The description from your huge slide deck does not detail enough in this case.

    Has anyone else gone through this?

    Kind regards



    ------------------------------
    Roland Schock
    IBM Champion and IBM Gold Consultant
    ------------------------------


  • 2.  RE: DMC login problem after replacing self signed https certificate

    Posted Sun December 03, 2023 08:57 PM

    Hi Roland,

    This issue may happen for some certificates and disable HTTP port by set the port number to -1 in configuration file at same time. Please try the latest version (version 3.1.12) of DMC which should have mitigated this issue.

    Best regards,

    Yan Hao Zhang



    ------------------------------
    Yan Hao Zhang
    ------------------------------



  • 3.  RE: DMC login problem after replacing self signed https certificate

    IBM Champion
    Posted Wed December 06, 2023 07:46 AM

    Hi Yan Hao,

    thanks! I have updated to 3.1.12 and the problem was gone! The DMC servers are now running with TLS certificates signed by the customers CA.

    Cheers



    ------------------------------
    Roland Schock
    IBM Champion and IBM Gold Consultant
    ------------------------------