[16.0.0.3 and later]

Setting up collectives to work with certificate signed custom certificates

You can use an existing collective setup to work with a new set of third-party certificates. Retrieve your certificate with a custom distinguish name format and replace it manually.

About this task

To work with a custom certificate, you need to change the keystore and truststore that are displayed in the following image:

A diagram that displays the collective keystores that need to be changed

Procedure

  1. Retrieve two SSL certificates that are signed by a third-party CA. One certificate is for the collective controller and the other is for all the collective members, named controller personal certificate, and member personal certificate. The certificates are available in keystores controller_pers_cert.jks and member_pers_cert.jks and can be signed by the same third-party CA or different CAs.
  2. Retrieve the signer certificate of both controller personal certificate and member personal certificate. The certificates are available in files controller_signer_cert.cer and member_signer_cert.cer.
  3. Configure the collective controller side.
    1. Go to directory {controller_server_dir}/resources/collective.
    2. Remove the certificates that are in serverIdentity.jks.
    3. Import the controller personal certificate to the serverIdentity.jks file. You can use the keytool utility, which is part of JDK.
      {JDK_HOME}/bin/keytool -importkeystore -srckeystore controller_pers_cert.jks -destkeystore
                 serverIdentity.jks
    4. Remove the signers from collectiveTrust.jks.
    5. Add the controller and member personal certificate signers to the collectiveTrust.jks file.
      {JDK_HOME}/bin/keytool -import -trustcacerts -file controller_signer_cert.cer
              -keystore collectiveTrust.jks -alias "controllerSignerAlias"
      {JDK_HOME}/bin/keytool -import -trustcacerts -file member_signer_cert.cer
                  -keystore collectiveTrust.jks -alias "MemberSignerAlias"
    6. Go to directory {controller_server_dir}/resources/security.
    7. Replace the contents of key.jks with the contents of serveIdentity.jks.
    8. Replace the contents of trust.jks with collectiveTrust.jks.
  4. Configure the collective member side
    1. Go to {member_server_dir}/resources/collective.
    2. Remove the certificates in serverIdentity.jks.
    3. Add the member personal certificate that is signed by the certificate authority to the serverIdentity.jks file.
      {JDK_HOME}/bin/keytool -importkeystore -srckeystore member_pers_cert.jks -destkeystore  
      serverIdentity.jks
    4. Replace the contents of key.jks with the contents of serveIdentity.jks.
    5. Replace the contents of trust.jks and controllerTrust.jks with the contents of the respective trust stores in the controller.
    Note: The rootkeys.jks file in the collective controller is used for collective join operations. Do not delete this file. You must manually change the certificates after each member is created.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Friday, 16 September 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-libcore-mp&topic=twlp_collect_setup_custom
File name: twlp_collect_setup_custom.html