Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator 🌩️ Azure Session 1 – Cloud Computing Basics
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series πŸ” Preparing WinRM on Windows Server over HTTPS for Automation (5986) πŸ” WAS Service Restart Using WinRM over HTTPS (5986) on Azure DevOps
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
☁️ IBM Bluemix - Free 30 Days‎ ☁️ Create a IBM Bluemix Account ☁️ IBM WebSphere® Application Server on IBM Bluemix Cloud.
Showing posts with label Akamai SSL certificate renewal. Show all posts
Showing posts with label Akamai SSL certificate renewal. Show all posts

21 Oct 2025

πŸ”’ SSL Certificate Renewal on Akamai WAF and Its Impact on Applications.

  • Managing SSL certificates on Akamai is critical for ensuring uninterrupted access to Internet-facing applications. 
  • This guide covers the Akamai certificate renewal process, SSL pinning, and testing procedures on staging environments.

πŸ“š Topics Covered
  1. Akamai Certificate Renewal Method — How Akamai CPS automates and manages SSL renewals.
  2. SSL Pinning: What It Is and Why It’s Required — Understanding its purpose, risks during renewal, and testing procedures.
  3. Testing on Staging Environment (Web & Mobile) — Validating renewed certificates on Akamai’s staging edge before production rollout.
⚠️ Note: SSL certificate renewal on Akamai affects Internet-facing apps using the wildcard domain *.yourdomainapp.com.  Intranet-based apps are not affected.


⚙️ Akamai CPS Fail-Safe Deployment Features

1️⃣ 7-Day Auto Push 
If “Always Test on Staging before Deployment” is enabled, CPS automatically promotes the renewed certificate from staging to production 7 days before expiry, ensuring uninterrupted service.

2️⃣ Safety Net
CPS overrides manual holds to prevent expired certificates or DoS risks. For DV Wildcards like *.middlewarebox.com, renewal and activation happen automatically.

3️⃣ Renewal Timing
Auto-renewal starts 30 days before expiry, and the 7-day fail-safe window ensures timely production rollout even if manual steps are delayed.


πŸ’₯ Impacted Applications , Temporary SSL-Handshake or Connectivity issue.

  1. Mobile Applications – Android and iOS apps using HTTPS or certificate SHA256 pinning for API communication with *.yourdomain.com.
  2. Web-Based Applications – Internet-facing portals, dashboards, or web services behind Akamai using the same domain.
  3. API Endpoints / Partner Integrations Public or partner-facing APIs secured via *.yourdomain.com, often validating SSL through public key pinning.
Note: Internal or intranet-only apps remain unaffected.



πŸ”‘ SSL Certificate Pinning – Why It Matters
  • SSL Pinning ensures client apps (especially mobile apps) trust only a specific SSL certificate or public key, not just any CA-signed certificate.
  • This protects against Man-in-the-Middle (MITM) attacks, even if a CA is compromised.
⚠️ Important: During renewal, the public key or hash fingerprint may change. If your app uses certificate pinning, old pins will cause SSL handshake failures until updated with the new certificate.

-------------------------------------------------------------------------------------------------------


🧩 Extracting Public Key & Certificate Hash for Pinning

Step 1: Get the new SSL certificate from the Akamai team from the staging environment.

Step 2: Extract the public key SSL-pinning SHA256:
command:-
openssl x509 -in certificate.cer -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Example Output:
Aq7AoU/d/6jl4LBYRNpR4BrssWrtkgu7jTnp95Ibrsc=

Note:
  • This SSL pinning value (SHA-256 hash) should be updated in your mobile applications (Android/iOS) to ensure successful HTTPS communication after certificate renewal.
  • Failing to update this pin may result in SSL handshake errors or connection failures when the new certificate goes live in production.

command :-
openssl x509 -in certificate.cer -outform DER | openssl dgst -sha256 -binary | openssl enc -base64

Example Output:
4BmfNA+XSJnIoSizRiRT/d3AqW27pBROTPUMxFbpEfM=

-------------------------------------------------------------------------------------------------------



πŸ§ͺ Testing the New SSL Certificate from Staging:

Ask the Akamai team to push the new SSL certificate to the staging environment.

1️⃣ Web-Based Applications :

Step 1: Perform DNS lookup for staging: 
[applicationname].middlewarebox.com.edgekey.staging.net


Output Example:
Server:  dns.google
Address:  8.8.8.8
Non-authoritative answer:
Addresses:  2600:1f18:4ae:c608:83f8:2f9c:4a61:7b6a
          54.165.131.183
          52.44.244.98
Aliases:  middlewarebox.com.edgekey.staging.net

Step 2: Edit hosts file on your laptop: "C:\Windows\System32\drivers\etc\hosts"
52.44.244.98  middlewarebox.com

Step 3: Ping staging server:  "ping middlewarebox.com"

Step 4: Validate staging certificate in browser (use Incognito mode) via:


2️⃣ Mobile Applications:

Step 1: Perform same DNS lookup as above.

Step 2: Update hosts file with staging IP. same as above 

Step 3: Enable Windows Mobile Hotspot: run below command  or 
In Windows PC - Open Settings >> Then Mobile Hostpot.

Step 4: Connect your iOS/Android device to the hotspot.

Step 5: Open the mobile app (ensure mobile Internet is disabled) and log in to validate the new SSL certificate.


To test for Production,test via Browser / SSL Labs

SSL
SSL Pinning

















Flow Chart:


ProTip: "Renewal is automated, but testing is manual - don't skip validation! This ensures true zero-downtime for ALL your applications." 

Read more posts »
Posted by: No comments:
Tags: , , , , , , , , ,
Subscribe to: Comments (Atom)