Warning for IBM Connections admins – change that Plugin keyfile password!

If you are running IBM Connections (any version) and have configured your SSL connect between the HTTP Server and WAS by importing the WAS SSL certificate into the Plugin keyfile (versus creating your own keyfile) and haven’t changed the default password, go do so now!

As this IBM technote states, the default password expires on April 26th, 2012:

The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. On distributed this file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.


If you are using the WebSphere Key and Certificate Management generated plug-in key store you are NOT affected. If, however, you are using the key store installed by default with the Web Server Plug-in for WebSphere Application Server and you have NEVER changed the key store’s password, then you must change the plug-in key store’s password, which removes the pending password expiration, to avoid a security exposure. Generally, as a best practice, IBM recommends you always change passwords from the default value to enhance the security of your system.

In reference to this specific security exposure concern, a majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this issue.

All the instructions for fixing this issue are contained in the technote, so take a read and make sure you’ve got this covered.

For the record, my advice when configuring a new Connections environment is to create a new keyfile with your own password, create a self-signed certificate or request a certified one from Verisign etc, then to import the certificates into WAS.  This is all detailed in the presentation that Rob Wunderlich and I gave at Lotusphere 2011.

One Response

Add a Comment

Your email address will not be published. Required fields are marked *