Applying TLS Configuration Setting for Server Manager Console and Agent (Tools Release 9.2.5 and later)

You can access Server Manager TLS Configuration Settings by clicking the TLS Configuration Settings link in the What do you want to do? pane. After you have uploaded and distributed the Server Manager keystore file and certificate file, you can validate the configuration changes and apply these changes to the Server Manager Console and the Server Manager Agents by selecting the appropriate TLS version and entering the trust store, keystore, and private key passwords.

> tutorial:

Click here to view a recording of this
                    feature.

Note: Before starting with the TLS configuration, ensure that all the agents associated with the Server Manager Console are in a running state. If any Server Manager Agent is stopped or not required, remove the corresponding entry from the management dashboard. Additionally, update the Server Manager Agents to the same release as the Server Manager Console.

Perform the following steps to apply the TLS configuration settings to the Server Manager Console and the Server Manager Agents:

Click the Choose File field to select the certificate file or the keystore file you want to upload and distribute. You can select only one file at a time to be uploaded and distributed.
Click the Upload and Distribute button. To upload multiple files, repeat the above processes again.
If all the agents associated with the Server Manager Console are not in a running state during the configuration, the following error message is displayed:
Before performing validation, ensure that all the agents connected to the Server Manager Console are running.
If any of the agents associated with the Server Manager Console are not updated during the configuration, the following error message is displayed.
Ensure all the Agents connected to Server Manager Console are updated to the same release as Server Manager Console, prior to performing validation and applying the TLS automation.
Select a TLS version from the TLS Version drop-down list.
Note: For the WebLogic Server, you can select either TLSv1.2 or TLSv1.3.
Complete these fields:
- Trust Store Password
  
  Enter the password of the trust store file. The password for all the trust store files in the setup on the Server Manager Console machine and the Server Manager Agent machines is the same.
- Keystore Password
  
  Enter the password of the keystore file.
- Private Key Password
  
  Enter the password of the private key file.
Click the Validate button to validate the uploaded files and input passwords.

After validation is successful, the following message is displayed and the Apply and Restart button is enabled.

If the validation fails, the following error message is displayed:

Validation of the Certificate, Keystore, and Truststore failed with the inputs provided. Check the Server Manager Console logs for more information. Correct the errors and try again.
To select a different TLS version, click the Reset button. The system will reset the TLS version and passwords entered.
After successful validation, click the Apply and Restart button.
On the confirmation dialog box, click OK to apply the TLS configuration settings to the setup.
The restarting of the Server Manager Console brings up a short-lived terminal window on the Windows machine on which the Server Manager Console is installed. You will see this window only if you are connected to that machine. No operation is to be performed on this window and it will automatically close after the restart of Server Manager Console is complete.
Click Management Dashboard and restart all the managed instances for which the message Instance Restart Required is displayed. After you restart the managed instances, you can see the associated runtime metrics.

Note:

When the certificate used for TLS configuration is due to expire in 7 days or when it has already expired, a warning is displayed in the Managed Homes and Managed Instances page. You will need to take corrective action for the certificate before it expires (upon seeing the warning message). If the certificate expires, the secure communication over TLS will stop and you will need to manually reconfigure the TLS setting.
If the Server Manager Console is on the WebLogic Server, after applying the TLS configuration, you will need to restart the admin server of the domain in which the Server Manager Console is installed.
For any web component in a horizontal cluster setup, you must copy the $SCFHA/config/agent.properties file from the primary member to the horizontal cluster member after the automation has been applied. Additionally, you must copy the keystore file, certificate file, and trust store file and place them in the same location as the primary member.
All the TLSv1.2/1.3 configuration information is saved in the $SCFMC/config/agent.properties file and $SCFHA/config/agent.properties file.
The trust store file is automatically configured in the $SCFHA/jdk/jre/lib/security/cacerts file on the agent machines and to the $jdk/jre/lib/security/cacerts file of the Java installation used by the WebLogic Server and the WebSphere Application Server on the Server Manager Console machine.
When you create a new instance in a setup where TLSv1.2/1.3 automation has been applied, for the new instance, TLSv1.2/1.3 is automatically configured.
If the system property setting is management.server.usesecurejmx=false in the $SCFMC/config/agent.properties file and the $SCFHA/config/agent.properties file, the system property setting will be automatically be changed to management.server.usesecurejmx=true after applying the TLS configuration setting.
You must import all the certificates from the $WAS_profile_dir\etc file for all the profiles into the agent’s keystore and trust store files for the agent to connect to the WebSphere profiles.