[16.0.0.3 and later]

Setting up third-party certificates while creating a new collective

You can set up third-party certificates while creating a new collective with a third-party certificate that exists.

About this task

To set up third party certificates while creating a new collective, you need to change keystore and truststore. The keystore and truststore that need to be changed are displayed in the following image:

A diagram that displays the collective keystores that need to be changed.

Use the following procedure to both create the controller and create the member.
Important: All members and controllers must use CA certificates.

Procedure

  1. Create a controller.

    For more information, see Configuring a Liberty collective in the product documentation.

    Important: Do not delete the rootkeys.jks keystore. You can optionally replace the certificates in the rootkeys.jks keystore with your own certificates. The certificate with the memberroot alias in the rootkeys.jks keystore is used to sign the member personal certificate during the collective join operation.
    1. Create a personal certificate for the controller.
    2. Remove the certificates in the key.jks keystore and the serverIdentity.jks keystore. Replace the certificates with the personal certificate that you created in the previous step.
    3. Remove all the certificates in the trust.jks truststore and the collectiveTrust.jks truststore. and replace with the signers of the controller personal certificates.
    4. Add the signers of the member personal certificates to the trust.jks truststore and the collectiveTrust.jks truststore.
    5. Start the controller.
  2. Create a member.
    Important: After the join operation, you can manually replace the certificates on the member side by following the steps to create a member.
    1. Perform the collective join operation.
    2. Obtain a personal certificate for the member.
    3. Remove the certificates in the member key.jks keystore and serverIdentity.jks keystore and replace with the member personal certificate.
    4. Ensure that the trust.jks truststore and the collectiveTrust.jks truststore on both the controller and the member contain only the signers of the controller and member personal certificates.

Icon that indicates the type of topic Task topic

File name: tagt_wlp_setup_new_collective.html