You can configure Transport Layer Security
(TLS) by modifying or replacing the keystore and truststore, and choosing
the certificate alias for your configuration.
Before you begin
- You must have a data grid application that uses WebSphere® DataPower® XC10 Appliance.
- You must be assigned the Appliance administration permission.
- You must have a keystore or truststore with the associated passwords
that you want to add to the appliance configuration. If you want to
modify the existing truststore, you can download the truststore from
the appliance. You must update the truststore with the public certificates
of the clients. For more information, see Configuring Transport Layer Security (TLS) for WebSphere Application Server.
- You must have access to the keytool tool. This
tool is in the java_home/bin directory.
About this task
The appliance must trust the clients that are connecting
to the data grid. The TLS settings apply to the user interface and
data grids. The settings are applied to all of the appliances in the
collective.
Procedure
- Download the active truststore. In the user
interface, click . Click Download active
truststore, and remember the location that you saved the
file on disk, for example in the /downloads/trustStore.jks directory.
- If necessary, create a certificate and export the public
certificate.
- Create a private key in the keystore. The
following command creates the key.jks keystore
with a key, "ogsample", stored in it. This key.jks keystore
is used as the SSL keystore. Run the following command:
keytool -genkey -alias ogsample -keystore key.jks -storetype JKS -keyalg rsa
-dname "CN=ogsample, U=Your Organizational Unit, O=Your Organization, L=Your City, S=Your State, C=Your Country" storepass ogpass -keypass ogpass -validity 3650
- Export the public certificate. The following
command extracts the public certificate of key "ogsample" and stores
the key in the temp.key file.
keytool -export -alias ogsample -keystore key.jks -file temp.key -storepass ogpass
- Add the client certificate to the truststore. Run
the keytool tool to import the client public certificate
to the truststore.
keytool -import -noprompt -alias "ogsample" -keystore /downloads/trustStore.jks
-file temp.key -storepass xc10pass -storetype jks
- Upload truststore information to the appliance. In
the user interface, click . Upload the updated /downloads/trustStore.jks file.
Click Submit TLS settings to save your configuration.
- Update the client.properties file. For more information on where to locate this file and the properties
in this file, see Client properties file. Set the
following properties in the client.properties file.
securityEnabled=true
transportType=SSL-Required
alias=ogsample
contextProvider=IBMJSSE2
protocol=TLS
keyStoreType=JKS
keyStore=key.jks
keyStorePassword=ogpass
trustStoreType=JKS
trustStore=/downloads/trustStore.jks
trustStorePassword=xc10pass
What to do next
- Restart the application with the new configuration to connect
with Transport Layer Security.