[16.0.0.3 and later]

Setting up third-party certificates for an existing collective

You can set up third-party certificates for an existing collective.

About this task

To set up third-party certificates for an existing collective, you need to change the keystore and truststore, which are displayed in the following image:

A diagram that displays the collective keystores that need to be changed
Tip: You can find the keytool utility in your Java™ installation directory.
Important: All members and controllers must use CA certificates.

Procedure

  1. Retrieve one SSL personal certificate for the controller that is signed by a third-party CA. For example, the certificate is available in keystore controller_pers_cert.jks and member_pers_cert.jks.
  2. Retrieve the signer certificates of both controller personal certificate and member personal certificates. For example, the certificates are available in files controller_signer_cert.cer and member_signer_cert.cer.
  3. Configure the collective controller side.
    1. Stop the controller and members.
    2. Go to the {controller_server_dir}/resources/collective directory.
    3. Remove the certificates that are in serverIdentity.jks.
    4. Import the controller personal certificate to the serverIdentity.jks file. You can use the keytool utility, which is part of JDK.
      keytool -importkeystore -srckeystore 
      controller_pers_cert.jks -destkeystore
                 serverIdentity.jks
    5. Remove the signers from collectiveTrust.jks.
    6. Add the controller and member personal certificate signers to the collectiveTrust.jks file.
      keytool -import -trustcacerts -file 
      controller_signer_cert.cer
              -keystore collectiveTrust.jks -alias "controllerSignerAlias"
      keytool -import -trustcacerts -file member_signer_cert.cer
                    -keystore collectiveTrust.jks -alias 
      "MemberSignerAlias"
    7. Go to the {controller_server_dir}/resources/security directory.
    8. Replace the contents of key.jks with the contents of serveIdentity.jks.
    9. Replace the contents of trust.jks with collectiveTrust.jks.
    10. Start the collective controller.
  4. Configure each collective member side.
    1. For the member, retrieve a personal certificate that is signed by the member signer certificate. You may use one personal certificate for all members, or create a different certificate for each member. For example, the certificate is available in member_pers_cert.jks.
    2. Go to {member_server_dir}/resources/collective.
    3. Remove the certificates in serverIdentity.jks.
    4. Add the member personal certificate that is signed by the certificate authority to the serverIdentity.jks file.
      keytool -importkeystore -srckeystore member_pers_cert.jks -destkeystore  
      serverIdentity.jks
    5. Remove the signers from collectiveTrust.jks.
    6. Add the controller certificate signers to the collectiveTrust.jks file.
      keytool -importkeystore -srckeystore member_pers_cert.jks -destkeystore  
      serverIdentity.jks
    7. Replace the contents of key.jks with the contents of serveIdentity.jks.
    8. Replace the contents of trust.jks and controllerTrust.jks with the contents of the respective trust stores in the controller.

Icon that indicates the type of topic Task topic

File name: tagt_wlp_setup_exist_collective.html