[16.0.0.3 and later]

Setting up collectives with third-party certificates

SSL protects communication between controllers and members. Each server in a collective has its own identity that is composed of its host name, user directory, and server name. Each server in a collective has two keystores that are named by default serverIdentity.jks and collectiveTrust.jks. The keystore contains the SSL certificates that are needed to declare its own identity and securely establish a communication with other members and controllers within the collective. For an application to establish an HTTPS inbound connection, each server has two more keystores that are named by default, key.jks and trust.jks.

Before you begin

You need to construct the Liberty collective. For more information, see Configuring a Liberty collective in the product documentation.

To establish secure SSL connection between the collective controller and collective member, a set of SSL certificates are created by the collective utility. These distinguished names (DN) of these certificates contain either OU=controllerRoot or OU=memberRoot, depending on whether the usage of the certificate is at the collective controller side or collective member side. They are added to respective keystores of controller or member. These certificates ensure that secure SSL connection is established between the different constituents of a collective.

You can use SSL certificates signed by third-party certificate authority (CA) to achieve the same SSL secure connection between the different liberty servers of a collective.

rookeys.jks
The keystore exists only at the collective controller side and contains two self-signed, personal certificates with alias names controllerroot and memberroot. The system uses these certificates to sign the collective controller personal certificates and collective member personal certificates in that order.
Note: You may optionally replace the certificates in rootkeys.jks with your own that are signed by a certificate authority.
serverIdentity.jks
Keystore contains personal certificate of the controller on the controller side, and personal certificate of the member on the member side, which is automatically created during collective create operation. By default, the controller personal certificate is signed by controllerroot and member personal certificate is singed by memberroot in rooKeys.jks.
collectiveTrust.jks
Truststore contains signer certificates that signed the controller and member personal certificate, for example, controllerroot and memberroot.
key.jks
Keystore contains personal certificate of the controller on the controller side, and personal certificate of the member on the member side, which is automatically created during collective create operation. By default, the controller personal certificate is signed by controllerroot and member personal certificate is singed by memberroot.
trust.jks
Truststore contains signer certificates that signed the controller and member personal certificates, for example, controllerroot and memberroot.

The following image displays the controller and member certificates:

A diagram that displays the different keystores.

About this task

Configure and change a collective setup so that it can use SSL certificates that are signed by third-party certificate authority. Add new configuration to the server.xml file to support SSL certificates that are signed by third-party CA. This configuration is used to identify your certificates that are used for collective operations when they are not default.

Your configuration contains the following:
<collectiveCertificate rdn="name=value"></collectiveCertificate>.
name
Any attribute name in the certificate distinguished name
value
rdn attribute value in the distinguished name
For example, if the DN of your certificate appears as: DN: CN=companyName,OU=WebSphere,O=IBM, EMAIL=abcd@xyz.com, and you want to identify all certificates with EMAIL=abcd@xyz.com as collective certificates, you would use the following configuration:
<collectiveCertificate rdn="EMAIL=abcd@xyz.com"></collectiveCertificate>

Procedure

  1. Setting up third party certificates while creating a new collective
  2. Setting up third party certificates for an existing collective

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Friday, 16 September 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-libcore-mp&topic=twlp_config_collective_3rd_party_cert
File name: twlp_config_collective_3rd_party_cert.html