In WAS 7.0 DMGR console I have Created new perrsonal certificate in keystore and extracted it and added to truststore singer certificate.


I have replaced the default certificate with new personal certificate and I deleted old default certificates.  


I have done the same like above for node level. 

later I have done certificate exchange between cell default keystore   cell default trust store .


in next step I have   exchanged certificates between node default key store and cell default trust store certificates. 

after that I have copied {dmgr-profile}/config/cells/cellname/trust.p12 and key.p12 to {dmgr-profile}/etc/trust.p12 and key.p12.

later I have copied   {dmgr-profile}/config/cells/cellname/trust.p12 to {application server}/etc/trust.p12.


here I forgot to take backup of trust.p12 and key.p12.


later I have copied {dmgr-profile}/config/cells/cellname/nodes/nodename/key.p12 to {application server}/etc/key.p12.


later I was able to stop and start dmgr. but I'm not able to stop application server instance.


but if I kill nodeagent and application server process. Then I can start application process. But again getting the followin kind of error while stopping.

from keystore {application server}/etc/trust.p12 is not able to communicate with MAC .



//// kindly please provide the solution how to resolve this.

will it be resolved if i copy  {dmgr-profile}/config/cells/cellname/key.p12 to {application server}/etc/key.p12?

or
 
If i delete {application server}/etc/trust.p12 and key.p12 whether these files will be created automatically while starting up the process?



or do I need to copy key.p12 file from cell level node configuration  to   {application server}/etc/key.p12?
          


    

Hi Pawan

What error are you having (SystemOut of Dmgr and Server) when you try to stop the server?

will it be resolved if i copy  {dmgr-profile}/config/cells/cellname/key.p12 to {application server}/etc/key.p12?

Probably will work (you will have the same trust.p12 and key.p12 of DMGR).

or
 

 If i delete {application server}/etc/trust.p12 and key.p12 whether these files will be created automatically while starting up the process?

No the files are not created automatically

or do I need to copy key.p12 file from cell level node configuration  to   {application server}/etc/key.p12?

          
Probably will work.

I suggest (for simplicity) take DMGR trust.p12 and key.p12 and copy in {application server}/etc/

When you are able to stopt from console review all your configuration again and don't forget to synchronized nodes. Check from console that your new certificate is in cell and node repositories.

If you have skills with keytool or ikeyman try to review your {application server}/etc/trus.p12 and key.p12 to check that you have your new certificate.

Hope this helps. tell us if you need more support.

Regards

Hi Gabriel,


Thanks for your suggestions.


I'm trying get permission from application team to do above changes in our production environment.


if possible I'll share the log file or log information with you.


once again thanks for your support.. :) now atleast I can try above changes by taking backup.

I'll get back top you soon....           

Hi Gabriel,

Our's is japanese project. i'll share the stop server log line with you soon.
 
could you confirm my understanding below is correct or not?

****** A line From your answer*******

///Check from console that your new certificate is in cell and node repositories.   


To do the above check.. I'll all the node level certificates to cell level key.p12 and trust.p12 .


Then I'll copy both key.p12 and trust.p12 from {dmgr-profile}/config/cells/cellname/ to {application server}/etc/?        

For checking certificates in cell level and node level and resolving the issue can I follow the above process? 

Pawan,

  I'm suggesting to review from Admin console (Security-SSL repositories)if your new certificate is in CellDefaultRepository (Trust and Key), NodeDefaultRepository (Trust and Key) when you are interchanging certificates.

  If you see (from admin console) the new certificate in the repositories then check the timestamp of the files {dmgr-profile}/config/cells/cellname/trust.p12 and key.p12 to be sure that your changes are in files.

regards

Hi Gabriel, Thank you very much for your great support. I have checked in cell level node configuration. ({WAS-CONFIG}/config/cells/cellname/nodes/nodename/trust.p12)

It is having the same certificates which {APPSRV_profile}/appserver name/etc/trust.p12 has.

Also, I have checked whether  {APPSRV_profile}/appserver name/etc/trust.p12 is able to with the password mentioned in the ssl.client.props file. /etc/tust.p12 was not accesbile with that password.

But {WAS-CONFIG}/config/cells/cellname/nodes/nodename/trust.p12 was accessible. So, this issue may fix if I copy above trust.p12 file to appsrv/etc/trust.p12

I have shared my action plan to IBM vendor.

They also confirmed my action plan. So This  weekend I'm going to implement it.

I'll share you the result soon...... 

Hi Gabriel,


SInce it is production server, I didnt get approval to do this change yet.


still I'm wiating for their approval. but with your help i have explained our client about the issue.


Thanks you,,, I'll share the result once I have done this change.