Changing Installed Certificates Used for Unwired Server and Sybase Control Center HTTPS Listeners

Both Unwired Server and Sybase Control Center include default certificates that are used for these components' HTTPS listeners. Since all installations use the same certificates by default, you must change these certificates with production-ready ones after you install Unwired Platform.

Prerequisites

By default, Unwired Server includes two security profiles, which is used by secure management and Data Change Notification (DCN) listeners: default and default_mutual. Therefore, you need to determine what type of authentication is required. The security profile you use determines which certificate file you need, and where they need to be deployed. The most secure profile is default_mutual, whereby components are mutually authenticated.

The default security profile uses domestic authentication and uses the alias of "sample1". With this authentication type, Unwired Server sends its certificate to the client (that is, either Sybase Control Center or DCNs). However, it does not require a certificate in return from the client. Instead, you must configure the client to trust the Unwired Server certificate.
The default_mutual security profile uses domestic_mutual authentication and uses the alias of "sample2". This authentication type requires that Sybase Control Center and Unwired Server truststores each contain a copy of the other component's certificate.

For details about what cipher suites are supported for domestic and domestic_mutual authentication, see Creating an SSL Security Profile in Sybase Control Center in the Sybase Control Center online help.

Task

Note: Because secure DCN has automatically been configured to use these same profiles by default, you are updating certificates used for secure DCN communication. If you want DCN to use a unique profile and certificates, see EIS Tier Security.

Generate new production-ready certificates:
1. For Unwired Server: if you are using default , create new server certificates for Unwired Server and keep the current alias of "sample1"; if you are using default_mutual also generate new server certificates for Sybase Control Center and keep the current alias of "sample2". This replaces the sample certificates in this keystore.
  - If you use a PKI system, ensure that the generated certificates and key pairs are signed by the Certificate Authority (CA) certificate that is widely trusted in your organization. Unwired Platform is compliant with certificates and key pairs generated from most well known PKI systems. Sybase recommends that you use this option.
  - If you do not use a PKI system, use the keytool utility to generate new self-signed certificates by following these steps. For an example of a keytool command, see Preparing Certificates and Key Pairs.
  Note: For a clustered environment, set the CN of the certificate to *.domain. The truststore and keystore files, as well as the definitions for default and default_mutual profiles are then synchronized across the cluster. As a result, there will only ever be a single certificate shared by all nodes that are members of the same cluster.
2. For Sybase Control Center: generate a new certificate for this keystore with a "jetty" alias. This replaces the default self-signed certificate installed in that keystore.
Import production-ready certificates, then update the security profile to associate these files with the Unwired Server encrypted port.
1. Use keytool to import the new production certificates into the primary Unwired Server keystore.
2. In the left navigation pane, expand the Servers folder and select the primary Unwired Server.
3. Select Server Configuration.
4. In the right administration pane, click General then SSL Configuration.
5. Optional. If you have used a different alias, rather than keep the alias of "sample1", locate the profile name row and modify the alias name to match the one used by your certificate.
6. Optional. If you are using a PKI system that includes OCSP, configure an OCSP responder. See Enabling OCSP.
Update Sybase Control Center keystores and configure it to also use these production-ready certificates.
1. Use keytool to import the new production Unwired Server certificate into the Sybase Control Center keystore at <UnwiredPlatform_InstallDir>\SCC-XX\plugins\com.sybase.supadminplugin_X.X.X\security\truststore.jks.
2. Open <UnwiredPlatform_InstallDir>\SCC-XX\services\Messaging\lib\eas\lib\Repository\Server\EmbeddedJMS\Instance\com\sybase\djc\server\ApplicationServer\EmbeddedJMS.properties, and revise the filePath,keyStoreName, trustStoreName and password properties, so that Sybase Control Center can locate and access these stores.
Optional. If you are using default_mutual authentication, use keytool to import the new server certificate for Sybase Control Center into the primary Unwired Server truststore.
Replace the default certificate for Sybase Control Center's HTTPS listener. Use keytool to import the new Sybase Control Center certificate with the "jetty" alias to the <UnwiredPlatform_InstallDir>\SCC-X_X\keystore keystore.