|
| 1 | +#!/bin/bash |
| 2 | +# Re-issue the WebSphere SOAP/SSL personal certificate during the image build. |
| 3 | +# |
| 4 | +# The base image ships a self-signed "default" certificate with a 1-year |
| 5 | +# validity. Once it expires, the wsadmin SOAP-over-SSL handshake fails with |
| 6 | +# "PKIX path building failed: unable to find valid certification path to |
| 7 | +# requested target" and the application deployment cannot run. We re-issue the |
| 8 | +# certificate signed by the existing (long-lived, ~2040) root CA so the client |
| 9 | +# truststore keeps trusting it without any further changes. |
| 10 | +set -euo pipefail |
| 11 | + |
| 12 | +WAS=/opt/IBM/WebSphere/AppServer |
| 13 | +KT="${WAS}/java/8.0/bin/keytool" |
| 14 | +CFG="${WAS}/profiles/AppSrv01/config/cells/DefaultCell01/nodes/DefaultNode01" |
| 15 | +PW=WebAS |
| 16 | +# keytool requires new key passwords to be at least 6 chars, but the WebSphere |
| 17 | +# keystore password is 5 chars, so we mint the key in a temp store first. |
| 18 | +TMP=changeit |
| 19 | +DN="CN=localhost,OU=DefaultCell01,OU=DefaultNode01,O=IBM,C=US" |
| 20 | +NEW=/tmp/new_default.p12 |
| 21 | + |
| 22 | +"${KT}" -genkeypair -alias default -dname "${DN}" -keyalg RSA -keysize 2048 \ |
| 23 | + -sigalg SHA256withRSA -validity 7300 -keystore "${NEW}" -storepass "${TMP}" \ |
| 24 | + -keypass "${TMP}" -storetype PKCS12 |
| 25 | +"${KT}" -certreq -alias default -keystore "${NEW}" -storepass "${TMP}" \ |
| 26 | + -file /tmp/default.csr |
| 27 | +"${KT}" -gencert -alias root -keystore "${CFG}/root-key.p12" -storepass "${PW}" \ |
| 28 | + -storetype PKCS12 -infile /tmp/default.csr -outfile /tmp/default.cer \ |
| 29 | + -validity 7300 -sigalg SHA256withRSA -rfc |
| 30 | +"${KT}" -exportcert -alias root -keystore "${CFG}/root-key.p12" -storepass "${PW}" \ |
| 31 | + -storetype PKCS12 -rfc -file /tmp/root.cer |
| 32 | +"${KT}" -importcert -noprompt -alias root -file /tmp/root.cer -keystore "${NEW}" \ |
| 33 | + -storepass "${TMP}" -storetype PKCS12 |
| 34 | +"${KT}" -importcert -noprompt -alias default -file /tmp/default.cer -keystore "${NEW}" \ |
| 35 | + -storepass "${TMP}" -storetype PKCS12 |
| 36 | +"${KT}" -delete -alias default -keystore "${CFG}/key.p12" -storepass "${PW}" \ |
| 37 | + -storetype PKCS12 || true |
| 38 | +"${KT}" -importkeystore -noprompt -srckeystore "${NEW}" -srcstorepass "${TMP}" \ |
| 39 | + -srcstoretype PKCS12 -srcalias default -destkeystore "${CFG}/key.p12" \ |
| 40 | + -deststorepass "${PW}" -destkeypass "${PW}" -deststoretype PKCS12 -destalias default |
| 41 | + |
| 42 | +echo "WebSphere SOAP/SSL certificate re-issued (signed by existing root CA)." |
0 commit comments