![[16.0.0.3 and later]](../ng_v16003.gif)
Setting up collectives to work with certificate signed custom certificates
You can use an existing collective setup to work with a new set of third-party certificates. Retrieve your certificate with a custom distinguish name format and replace it manually.
About this task
To work with a custom certificate, you need to change the keystore and truststore that are displayed in the following image:
Procedure
- Retrieve two SSL certificates that are signed by a third-party CA. One certificate is for the collective controller and the other is for all the collective members, named controller personal certificate, and member personal certificate. The certificates are available in keystores controller_pers_cert.jks and member_pers_cert.jks and can be signed by the same third-party CA or different CAs.
- Retrieve the signer certificate of both controller personal certificate and member personal certificate. The certificates are available in files controller_signer_cert.cer and member_signer_cert.cer.
- Configure the collective controller side.
- Go to directory {controller_server_dir}/resources/collective.
- Remove the certificates that are in serverIdentity.jks.
- Import the controller personal certificate to the serverIdentity.jks file.
You can use the keytool utility, which is part of JDK.
{JDK_HOME}/bin/keytool -importkeystore -srckeystore controller_pers_cert.jks -destkeystore serverIdentity.jks
- Remove the signers from collectiveTrust.jks.
- Add the controller and member personal certificate signers to the
collectiveTrust.jks file.
{JDK_HOME}/bin/keytool -import -trustcacerts -file controller_signer_cert.cer -keystore collectiveTrust.jks -alias "controllerSignerAlias"
{JDK_HOME}/bin/keytool -import -trustcacerts -file member_signer_cert.cer -keystore collectiveTrust.jks -alias "MemberSignerAlias"
- Go to directory {controller_server_dir}/resources/security.
- Replace the contents of key.jks with the contents of serveIdentity.jks.
- Replace the contents of trust.jks with collectiveTrust.jks.
- Configure the collective member side
- Go to {member_server_dir}/resources/collective.
- Remove the certificates in serverIdentity.jks.
- Add the member personal certificate that is signed by the certificate authority to the
serverIdentity.jks file.
{JDK_HOME}/bin/keytool -importkeystore -srckeystore member_pers_cert.jks -destkeystore serverIdentity.jks
- Replace the contents of key.jks with the contents of serveIdentity.jks.
- Replace the contents of trust.jks and controllerTrust.jks with the contents of the respective trust stores in the controller.
Note: The rootkeys.jks file in the collective controller is used for collective join operations. Do not delete this file. You must manually change the certificates after each member is created.
Parent topic:
Setting up collectives with third-party certificates
![[16.0.0.3 and later]](../ng_v16003.gif)


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-libcore-mp&topic=twlp_collect_setup_custom
File name: twlp_collect_setup_custom.html