To secure the Content Platform Engine server end of the communication
with another server, you need to deploy the self-signed certificate
that you generated on the other server into the keystore on the Content Platform Engine server.
Before you begin
Ensure that
WebSphere® Deployment Manager and the
WebSphere node agent are running and
that all instances of
Content Platform Engine are
stopped.
Procedure
To deploy a self-signed
certificate on Content Platform Engine:
- From the command line on the IBM® Content Search Services
server, navigate to the
YourCSSfolder\bin folder.
YourCSSfolder is the folder
where you installed IBM Content Search Services.
- Export the certificate
to a file by running the following command:
keytool -export -alias YourSelfSignedAlias
-keypass YourKeyPassword -keystore selfSignedServerStore
-storepass YourStorePassword -file selfSignedCert.cer
- Copy the selfSignedCert.cer file
to a folder on the Content Platform Engine server,
for example, C:\IBM\cssKeystore.
- On the Content Platform Engine server, log on to the WebSphere Integrated Solutions Console.
- Navigate to .
- Navigate to the
signer certificates page, depending on the type of your WebSphere installation:
Option |
Description |
WebSphere base edition
or stand-alone environment |
|
WebSphere ND |
|
- Click Add.
- Type a certificate
alias (for example, YourAlias) in the Alias
field. The alias is how the certificate is referenced in
the keystore. The alias you enter must differ from any existing alias
in the keystore.
- In the File
Name field, type the file name and path to where the certificate
is located (for example, C:\IBM\cssKeystore\selfsignedCert.cer).
- In the Data
Type field, select Base64-encoded ASCII data.
- Click Apply and
then click Save to save your changes to the
master configuration of WebSphere.
- Navigate to .
- For each server
instance (for example, server1, server2,...) complete the following
substeps to set Java™ system
parameters on the Content Platform Engine application
server and to change the keystore type to pkcs12:
- Navigate to and add these two parameters in the Generic
JVM arguments field:
- -Djavax.net.ssl.trustStore=path_to_WebSphere_default_trustStore
For
example:
-Djavax.net.ssl.trustStore=C:\Progra~1\IBM\WebSphere\AppServer\profiles\
AppSrv01\config\cells\MyServerCell01\trust.p12
MyServerCell01 should
reflect the value in your environment.
- -Djavax.net.ssl.trustStorePassword=WebSphere_trustStore_password
For
example:
-Djavax.net.ssl.trustStorePassword=WebAS
Note
that WebAS is the default password for the
default truststore in WebSphere.
- In the WAS_HOME/java/jre/lib/security/java.security file,
set the keystore type to pkcs12:
keystore.type=pkcs12
If
your application server is clustered, repeat this java.security file
edit on each Content Platform Engine node
in the cluster.
- If your application
server is clustered, synchronize your changes to all the nodes in
the cluster:
- Navigate to .
- Select all the nodes in the cluster, and then click Full
Resynchronize.
- In a command window,
stop WebSphere Deployment
Manager. When the stop command completes, restart WebSphere Deployment Manager:
stopManager.bat -username username -password password
startManager.bat
- Restart the node
agents:
- Log on to the WebSphere Integrated
Solutions Console.
- Navigate to .
- Select all the node agents, and then click Restart.
- Restart the Content Platform Engine instances on the application
server.