For the automatic usage reporting and license updating, your server must be able to connect to our customer console api at This requires that firewall rules allow for outbound connections and that the Let's Encrypt certificate authority certificate be trusted by the Maximo JVM.

The Let's Encrypt certificate can be downloaded from this article or from the Let's Encrypt Chain of Trust page (Chain of Trust - Let's Encrypt ( The Let's Encrypt Active R3 certificate cross signed by IdenTrust in PEM format is what is needed.  The direct link is below:

Install CA WebSphere Liberty 

Copy the lets-encrypt-r3-cross-signed.pem to the WebSphere Liberty server.  For this example we are copying it to /opt/IBM/wlp/lets-encrypt-r3-cross-signed.pem where/opt/IBM/wlp is the installation directory for WebSphere Liberty.

There are two key stores that can be used by WebSphere Liberty, the shared JVM key store and the application key store that is defined in the application server.xml file.

For the shared JVM keystore execute the following command from a terminal, adjusting the paths as appropriate for your installation.

/opt/IBM/wlp/java/java/bin/keytool -import -trustcacerts -keystore /opt/IBM/wlp/java/java/jre/lib/security/cacerts -storepass changeit -noprompt -alias letsencrypt -file /opt/IBM/wlp/lets-encrypt-r3-cross-signed.pem

For the application key store, the key store path is defined in the keyStore element and defined by the location attribute.  The id attribute is referenced by the ssl element in the keyStoreRef attribute.  In the example below the the defaultKeyStore references a PKCS12 formatted key store in the shared resource directory.

<keyStore id="defaultKeyStore" password="${keystore_password}" location="${shared.resource.dir}/security/key.p12"/>
<ssl id="defaultSSLConfig"  sslProtocol="TLSv1.2"  keyStoreRef="defaultKeyStore"    clientAuthenticationSupported="true"  serverKeyAlias="default"   />

Replace the [your_keystore_password] with the password for your key store.  This example is for a PKCS12 formatted key store, if you are using the older JKS format then omit the -storetype pkcs12 argument.

/opt/IBM/wlp/java/java/bin/keytool -import -trustcacerts -keystore /opt/IBM/wlp/usr/shared/resources/security/key.p12 -storepass [your_keystore_password] -noprompt -alias letsencrypt -file /opt/IBM/wlp/lets-encrypt-r3-cross-signed.pem -storetype pkcs12 

Restart the application server to apply the changes.

If you have a cluster you will need to perform this action on each server or copy the final key stores to each server.

Install CA WebSphere Traditional 9.x

Manual Configuration

Log into the WebSphere console and expand the Security menu, then select the SSL certificate and key management menu item.

SSL certificate and key management

Click the Key stores and certificates menu item under the Related Items header.

Key stores and certificates

Click the CellDefaultTrustStore link.


Click the Signer certificates link under the Additional Properties header.

Signer certificates

Click the Receive from port button above the listed trust certificates.

Receive from port

Enter the following details:


Click the Retrieve signer information button to get the certification information and confirm that the server can reach the Sharptree API endpoint.

Retrieve signer information

Review the retrieved information and confirm that the Let's Encrypt CA was successfully retrieved, then click the OK button.

Review information and click OK

Click the Save link to save the changes and deploy them to the deployment manager nodes.


Scripted Configuration

Alternatively you can download the file attached to this article, copy it to the target WebSphere server, unzip it and then run the script.  You will be prompted for your WebSphere administrator user name and password, then the script will automatically perform the import as the example below shows.