Hi,

Our customer is running WebSphere traditional profile based edition v9 in AWS. The hosts are rebuilt nightly and are placed in an auto-scaling group (ASG). In order to access the WebSphere console we just retrieve the IP from the EC2 instances in the AWS console. However the customer's desktop environment is now moving to Windows 11 and I believe (though haven't seen it in practice yet) the browsers will not support (a) IP based SSL certificates and (b) self-signed SSL certificates so this means the default certificate generated on the installation of WAS is no longer acceptable. This isn't an issue in static environments where we can provision CA signed certificated but where they are in an ASG the hostname continually changes. Has anyone come across a best practice of how to handle this (might be more of an AWS question but I figured I would give it a spin here first)?

Thanks,

Paul

Yes, you are right, this is more an AWS question. I do not think there is a WAS solution to that, unless you use wildcard certificates. The issue here is that you need a signed certificate which usually is created to a specific CN, despite you can also use wildcard CNs, but it is not something usually you want to use for security reasons. 

So what you need is to be sure that WAS is configured to use always the same hostname, you can do that by configuring AWS Route 53 alias / CNAME with this hostname that points to the load balancer that I suppose you have in front of your ASG. Your CA will create a signed certificate with the CN=hostname of the load balancer, each time you rebuild the machine you use an AMI that was created using an EC2 where the keystore with the certificate was added to WAS and the configuration is made to use this certificate, here you can use a WAS script to execute the SSL configuration to use that alias certificate instead of the self-signed.

If you decide to use the wildcard certificate, you add it once to the WAS keystone, and mo matter what is the hostname that is created for your EC2 , because the domain is always the same, but I remind you that this is not very secure.

João Pedro Alexandre
Senior Lead, Infrastructure Specialist
Kyndryl Consult 
 

Unless stated otherwise above:
KNDRL SERVICES PORTUGAL, S.A.
Sociedade Anónima com o Capital Social de € 11.000.000
Registada na Conservatória do Registo Comercial de Lisboa, sob o número único fiscal e de matrícula  516360558
Edifício "Office Oriente" - Rua do Mar da China, Nº 3, Parque das Nações, 1990-138 LISBOA

Hi,

Our customer is running WebSphere traditional profile based edition v9 in AWS. The hosts are rebuilt nightly and are placed in an auto-scaling group (ASG). In order to access the WebSphere console we just retrieve the IP from the EC2 instances in the AWS console. However the customer's desktop environment is now moving to Windows 11 and I believe (though haven't seen it in practice yet) the browsers will not support (a) IP based SSL certificates and (b) self-signed SSL certificates so this means the default certificate generated on the installation of WAS is no longer acceptable. This isn't an issue in static environments where we can provision CA signed certificated but where they are in an ASG the hostname continually changes. Has anyone come across a best practice of how to handle this (might be more of an AWS question but I figured I would give it a spin here first)?

Thanks,

Paul

Perfect thanks for the response.

Paul

Yes, you are right, this is more an AWS question. I do not think there is a WAS solution to that, unless you use wildcard certificates. The issue here is that you need a signed certificate which usually is created to a specific CN, despite you can also use wildcard CNs, but it is not something usually you want to use for security reasons. 

So what you need is to be sure that WAS is configured to use always the same hostname, you can do that by configuring AWS Route 53 alias / CNAME with this hostname that points to the load balancer that I suppose you have in front of your ASG. Your CA will create a signed certificate with the CN=hostname of the load balancer, each time you rebuild the machine you use an AMI that was created using an EC2 where the keystore with the certificate was added to WAS and the configuration is made to use this certificate, here you can use a WAS script to execute the SSL configuration to use that alias certificate instead of the self-signed.

If you decide to use the wildcard certificate, you add it once to the WAS keystone, and mo matter what is the hostname that is created for your EC2 , because the domain is always the same, but I remind you that this is not very secure.

João Pedro Alexandre
Senior Lead, Infrastructure Specialist
Kyndryl Consult 
 

Unless stated otherwise above:
KNDRL SERVICES PORTUGAL, S.A.
Sociedade Anónima com o Capital Social de € 11.000.000
Registada na Conservatória do Registo Comercial de Lisboa, sob o número único fiscal e de matrícula  516360558
Edifício "Office Oriente" - Rua do Mar da China, Nº 3, Parque das Nações, 1990-138 LISBOA

Hi,

Our customer is running WebSphere traditional profile based edition v9 in AWS. The hosts are rebuilt nightly and are placed in an auto-scaling group (ASG). In order to access the WebSphere console we just retrieve the IP from the EC2 instances in the AWS console. However the customer's desktop environment is now moving to Windows 11 and I believe (though haven't seen it in practice yet) the browsers will not support (a) IP based SSL certificates and (b) self-signed SSL certificates so this means the default certificate generated on the installation of WAS is no longer acceptable. This isn't an issue in static environments where we can provision CA signed certificated but where they are in an ASG the hostname continually changes. Has anyone come across a best practice of how to handle this (might be more of an AWS question but I figured I would give it a spin here first)?

Thanks,

Paul

Hi,

Our customer is running WebSphere traditional profile based edition v9 in AWS. The hosts are rebuilt nightly and are placed in an auto-scaling group (ASG). In order to access the WebSphere console we just retrieve the IP from the EC2 instances in the AWS console. However the customer's desktop environment is now moving to Windows 11 and I believe (though haven't seen it in practice yet) the browsers will not support (a) IP based SSL certificates and (b) self-signed SSL certificates so this means the default certificate generated on the installation of WAS is no longer acceptable. This isn't an issue in static environments where we can provision CA signed certificated but where they are in an ASG the hostname continually changes. Has anyone come across a best practice of how to handle this (might be more of an AWS question but I figured I would give it a spin here first)?

Thanks,

Paul