FileNet P8 Content Search Engine,             Operating systems:  AIX, Linux, Linux on System z, Solaris, Windows

Deploying a self-signed certificate on the IBM Content Search Services server

You can deploy a self-signed certificate to the keystore on the IBM® Content Search Services server to secure its communication with Content Platform Engine. If you deploy a self-signed certificate, you do not need to deploy a third-party certificate.

Procedure

To deploy a self-signed certificate:

  1. Stop the IBM Content Search Services server if it is running.
  2. From the command line on the server, set the path to your JRE\bin directory. For example, set the path by entering the following command:
    set PATH=C:\YourJRE\bin;%PATH%
  3. Navigate to the folder YourCSSFolder\bin. YourCSSfolder is the folder where you installed IBM Content Search Services. For example, YourCSSfolder might be C:\Program Files\IBM\Content Search Services\CSS Server.
  4. Generate a self-signed server certificate by entering one of the following commands, depending on the type of the application server where Content Platform Engine is deployed:
    • WebSphere® Application Server:
      keytool -genkey -alias YourSelfSignedAlias
      -keypass YourKeyPassword -keystore selfSignedServerStore
      -storepass YourStorePassword -validity NumberOfDays
      -dname "CN=YourHostName, OU=Unknown,
      O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
    • WebLogic Server:
      keytool -genkey -alias YourSelfSignedAlias
      -keypass YourKeyPassword -keystore selfSignedServerStore
      -storepass YourStorePassword -validity NumberOfDays
      -dname "CN=YourHostName, OU=Unknown,
      O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keyalg RSA
    • JBoss Application Server:
      keytool -genkey -alias YourSelfSignedAlias
      -keypass YourKeyPassword -keystore selfSignedServerStore
      -storepass YourStorePassword -validity NumberOfDays
      -dname "CN=YourHostName, OU=Unknown
      O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keyalg RSA
    Restriction: If you plan to verify the host name later, you must include the -dname parameter in the command:
    -dname "CN=YourHostName,OU=Unknown,
    O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

    In the following example of this command, the application server type is WebSphere Application Server, the keystore password and the certificate password are changeit, the certificate valid time is 3650 days (10 years), and the host name is Host1:

    keytool -genkey -alias YourSelfSignedAlias 
    -keypass changeit -keystore selfsignedServerStore
    -storepass changeit -validity 3650
    -dname "CN=Host1, OU=Unknown,
    O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
  5. Verify that the certificate was created in the keystore by entering the following command:
    keytool -list -v -keystore selfsignedServerStore -storepass YourStorePassword
  6. Deploy the keystore by entering the following command:
    configTool.bat set -system -configPath YourCSSfolder\config
    -keyStoreName PathToYourKeyStore\selfsignedServerStore
    -keyStorePassword YourStorePassword

    In the following example of this command, YourCSSfolder is C:\Program Files\IBM\Content Search Services\CSS Server, PathToYourKeyStore is C:\Program Files\IBM\Content Search Services\CSS Server\bin, and YourStorePassword is changeit:

    configTool.bat set -system
    -configPath "C:\Program Files\IBM\Content Search Services\CSS Server\config"
    -keyStoreName "C:\Program Files\IBM\Content Search Services\CSS Server\
    bin\selfsignedServerStore" -keyStorePassword changeit
  7. Start the IBM Content Search Services server.


Last updated: October 2015
p8pin351.htm

© Copyright IBM Corporation 2013, 2015.