Warning for IBM Connections admins – change that Plugin keyfile password!

If you are running IBM Connections (any version) and have configured your SSL connect between the HTTP Server and WAS by importing the WAS SSL certificate into the Plugin keyfile (versus creating your own keyfile) and haven’t changed the default password, go do so now!

As this IBM technote states, the default password expires on April 26th, 2012:

The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. On distributed this file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.

CVE-2012-2162

If you are using the WebSphere Key and Certificate Management generated plug-in key store you are NOT affected. If, however, you are using the key store installed by default with the Web Server Plug-in for WebSphere Application Server and you have NEVER changed the key store’s password, then you must change the plug-in key store’s password, which removes the pending password expiration, to avoid a security exposure. Generally, as a best practice, IBM recommends you always change passwords from the default value to enhance the security of your system.

In reference to this specific security exposure concern, a majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this issue.

All the instructions for fixing this issue are contained in the technote, so take a read and make sure you’ve got this covered.

For the record, my advice when configuring a new Connections environment is to create a new keyfile with your own password, create a self-signed certificate or request a certified one from Verisign etc, then to import the certificates into WAS.  This is all detailed in the presentation that Rob Wunderlich and I gave at Lotusphere 2011.

Stuart McIntyre is a Senior Strategist at Fostering Community Limited. He curates a number of product-focused news sites, is a lapsed podcaster, founded the Social Connections user group and regularly speaks at conferences and events. This blog represents his own slightly-eccentric and usually-controversial opinions!
  • Dave Hay

    Stuart, thanks for sharing. I trust that none of your customers were adversely affected by this ? Dave