1. Replacing Default SSL Certificates The communication between the MDM<-->DWC and MDM<-->DA is implemented using SSL protocol TLS v1.2 over TCP/IP. IWA provides Self-Signed certificates (signed by IBM) with the product and all components use them by default to establish SSL communication. To enhance security, these certificates must be replaced with commercial CA (Certificate Authority) signed certificate for each server in the environment. The following sections describe the procedure to replace various certificates. 1.1 Overview of SSL in IWA IWA utilizes IBM WebSphere Application Server Liberty Profile (WLP) as the frontend web user interface as well as the backend engine. As such, there are two WLP that provide the services for DWC and MDM. The SSL implementation in WLP for DWC and MDM requires two stores to be present.
SSL Certificates are imported into the KeyStores for each profile and then the public keys are extracted and imported into the TrustStores. The stores can have different formats for compatibility and security reasons and used by different components as shown below.
There are different types of file extensions used to signify the type of certificate or key it contains as described below.
1.2 Replacing Certificates used by MDM and DWC The MDM and DWC each have one KeyStore and one TrustStore in JKS format. They are located in the following directories:
TrustStore TWSServerTrustFile.jks
TrustStore TWSServerTrustFile.jks TWSServerKeyStore.jks This KeyStore contains the private and public certificates for the server, the Root and Intermediate public certificates of the CA that signed the server certificate. The public certificate of the server is exported and imported into the TWSServerTrustStore.jks and TWSClientKeyStore. TWSServerTrustStore.jks This TrustStore contains the public certificates for the server, the Root and Intermediate public certificates of the CA that signed the server certificate. The following is a high-level procedure to replace the default certificates used by MDM and DWC.
The flow chart below depicts the procedure. Update in version 9.5 Fix Pack 04 The new feature, Automatic deployment of security certificates on agents, introduced in version 9.5 Fix Pack 04 applies to Dynamic Agents only and doesn’t affect the above process flow. One requirement that must be met is that certificates for all components, i.e., MDM, DWC, and DAs, must be signed by the same CA. The following sections describe how to create and populate new KeyStore and TrustStore with the required private and public certificates of the MDM and DWC. 1.2.1 Create New KeyStore for MDM Follow the steps below to replace the default certificates for the MDM and DWC. 1. Login as iwaadmin and set the PATH variable to include the key management tool, keytool, provided by IWA export PATH=/opt/IWA/IWS/TWS/JavaExt/jre/bin:$PATH 2. Create a new KeyStore for the MDM
The key password must be the same as the store password. Even though JKS allows them to be different, WA only use one password to open both. 1.2.2 Generate a CSR for MDM Follow the steps below to create a Certificate Signing Request (CSR) for the MDM 1. Generate a Certificate Signing Request CSR for the MDM server.
2. Send the CSR to the CA to be signed. The CA signs the certificate and sends back the signed certificate along with the Root and Intermediate certificates. nairobi.crt sportif.cer ABCRoot.cer 3. Import the certificates in the order shown below.
4. View the contents of the KeyStore
5. Export the Public Key into a file from the KeyStore
1.2.3 Create New TrustStore for MDM Follow the steps below to create a new TrustStore for the MDM. 1. Create a new TrustStore for the MDM and provide the same responses as the KeyStore
2. Import the Root, Intermediate, and the Public Key of the server certificates in the order shown below.
3. View the contents of the TrustStore
1.2.4 Replace Default KeyStore and TrustStore for MDM Follow the steps below to replace the default KeyStore and TrustStore for the MDM. 1. Go to the directory where the default KeyStore and TrustStores are located
2. Copy the new KeyStore and TrustStore
3. Encrypt the password for the KeyStore and TrustStore
4. Copy the encrypted password and update it in the ssl_variables along with references to the new KeyStore and TrustStore
5. Save and exit. 6. The changes are effective immediately and doesn’t require the MDM to be restarted. 1.2.5 Replace Default KeyStore and TrustStore for the DWC Follow the steps below to replace the default KeyStore and TrustStore for DWC and Backup DWC. 1. Go to the directory where the default KeyStore and TrustStores are located
2. Copy the new KeyStore and TrustStore
3. Copy the encrypted password and update it in the ssl_variables along with references to the new KeyStore and TrustStore
4. Save and exit. 5. The changes are effective immediately and doesn’t require the DWC to be restarted. 1.2.6 Verify that DWC is using the new Certificate Follow the steps below to verify that the DWC is using the new CA signed certificates. 1. Launch a Browser and go to the following URL https://nairobi.abc.com:9443/console/login.jsp 2. In the address bar, click on the padlock next to the URL. The icon may be different based on the browser being used. 3. Click on View Certificate and verify that the following information is shown. 1.2.7 Update Dynamic Workload Broker Workstation Properties In order to work with the Dynamic Agents through the Dynamic Workload Broker (DWB), such as, delete and extract, the CN names of the CA signed certificates need to be added to the Broker.AuthorizedCNs property in BrokerWorkstation.properties file. Follow the steps below to update this file. 1. Go to the directory where the BrokerWorkstation.properties file is located
2. Edit the BrokerWorkstation.properties file and append the values shown in bold below
3. Restart the MDM WLP
1.3 Replacing Certificates used by DA The Dynamic Agent uses two KeyStores, one in CMS format (kdb extension) and the other in JKS format (jks extension). Both KeyStores contain the same certificates, which include the private certificate for the server where the agent is installed, the public certificate of the MDM server, the Root and Intermediate public certificates of the CA that signed the MDM server’s certificate. The public certificate of the server where the agent is installed is exported from one of the above KeyStores and imported into the MDM and BKM servers TrustStores. They are located in the following directory: /opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert CMS KeyStore TWSClientKeyStore.kdb JKS KeyStore TWSClientKeyStoreJKS.jks In order to simplify and repeat the process of renewing the certificates when they expire, the following procedure is used to replace the certificates used by DA.
The flow chart below depicts the procedure. Update in version 9.5 Fix Pack 04 The new feature, Automatic deployment of security certificates on agents, introduced in version 9.5 Fix Pack 04 applies to Dynamic Agents and simplifies the above process by eliminating steps 4-10. Steps 1-3 must still be completed, and the certificates must be placed in the certificate depot location, <TWSDATA>/TWS/ssl/depot. This dir only exists if a fresh installation was performed using FP4 image. If an existing installation was upgraded to FP4, this directory needs to be created. The certificates are downloaded to an agent in the following scenarios:
One requirement that must be met is that certificates for all components, i.e., MDM, DWC, and DAs, must be signed by the same CA. There are two scenarios The following sections describe how to replace the default certificates used by the DA. 1.3.1 Generate a CSR for the DA in the CMS TWSClientKeyStore Follow the steps below to generate and update the CMS TWSClientKeyStore.kdb 1. Login as iwaadmin on the agent and set the PATH variable to include the key management tool, gsk8capicmd, provided by IWA export PATH=/opt/IBM/IWA/TWS/tmpGSKit64/8/bin:$PATH 2. Source the script to set the environment as shown below. . /opt/IBM/IWA/TWS/tws_env.sh 3. Backup the existing TWSClientKeyStores cd /opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert cp TWSClientKeyStore.kdb TWSClientKeyStore.kdb.orig cp TWSClientKeyStoreJKS.jks TWSClientKeyStoreJKS.jks.orig 4. Generate a CSR from the CMS TWSClientKeyStore.kdb gsk8capicmd_64 -certreq -create -sigalg SHA256withRSA -size 2048 -db TWSClientKeyStore.kdb -label agent -dn "CN=agent.abc.com,OU=IT Division,O=ABC,L=Kingston,ST=Jamaica,C=US" -file agent.csr -stashed 5. Send the CSR, agent.csr, to the CA to be signed and returned. 6. Once the CA signed certificate is received, import it into the CMS TWSClientKeyStore.kdb along with the root, intermediate, and MDM server’s public certificate in the order shown below
7. Delete the following default certificates
8. Extract the public certificate for the agent and copy it to the MDM
9. View the contents of the KeyStore
1.3.2 Import the public certificate of the DA into the MDM TrustStore Follow the steps below to Import the public certificate of the DA into the JKS IWAServerTrustStore.jks. 1. Login as iwaadmin to the MDM and go to the directory where the TrustStore is located
2. Import the public certificate of the DA into the Primary MDM server’s TrustStore
3. View the Certificates in the Server TrustStore
4. Restart the Primary MDM
1.3.3 Convert the CMS TWSClientKeyStore to JKS TWSClientKeyStore Follow the steps below to convert the CMS TWSClientKeyStore to JKS TWSClientKeyStore.jks. 1. Login as iwaadmin to the Primary MDM and go to the directory where the KeyStore is located
2. Delete any certificates with the extension, arm rm *.arm 3. Run the following command to convert the CMS TWSClientKeyStore to JKS format
4. View the contents of the JKS ClientKeyStoreJKS. It should be identical to the CMS TWSClientKeyStore
1.3.4 Update the certificate related parameters in ita.ini of the DA 1. Login as iwaadmin to the Primary MDM and go to the directory where ita.ini is located
2. Open ita.ini file, scroll down to the ITA SSL section and update and verify the following parameters shown in bold
3. Save and exit. 1.3.5 Restart Agent and Verify Follow the steps below to restart the agent and verify its connectivity to the MDM server. 1. Go to the agent’s home directory cd /opt/IBM/IWA/IWS/TWS ./ShutDownLwa ./StartUpLwa 2. Login to the DWC and navigate to Monitor Workload, Workstation and make sure that it is linked and running. 3. If it not linked and running, check the agent’s logfile cd /opt/IBM/IWA/TWSDATA/stdlist/JM/ tail JobManager_message.log 2019-11-13 15:43:10.351- 05:00|2046801664|3225|<server_name>.abc.com|AWSITA081E The agent can not send the resource information to "https://<server_name>.abc.com:31116/JobManagerRESTWeb/JobScheduler/resource". The error is: "AWSITA245E An error occurred getting the response of the HTTP request. The error is "CURL error 35".". 4. Review the steps above and verify that each of the step is executed successfully. 5. If the agent is able to connect successfully to the MDM, the last message in the logfile indicates that it is able to send information to the MDM server. 2019-11-13 19:18:26.461- 05:00|INFO|JobManager|18446744071629174528|30204|nairobi.abc.com|AWSITA083I Resource information was sent to "https://nairobi.abc.com:31116/JobManagerRESTWeb/JobScheduler/resource". 6. To verify two-way communication between the DA and MDM, submit a test job as follows: a. Login as iwaadmin to the MDM b. Run conman in interactive mode conman c. Create and submit a job on the fly sbd nairobi_da#”echo Hello”;logon=iwaadmin d. Keep running the following command until the job completes successfully. sj nairobi_da#JOBS.ECHO e. If the job stays stuck in WAIT state, look at the joblog for any errors by running the following command. sj nairobi_da#JOBS.ECHO;stdlist f. Review the steps above and verify that each of the step is executed successfully. g. Type e followed by an enter to exit conman. 7. Follow the steps in section 4.6 to replicate the TWS Client KeyStores on all DAs to enable SSL communication between MDM and DAs using CA signed certificates 1.4 Update the SSL settings of a DA Follow the steps below to update the SSL settings of a Dynamic Agent
cd /opt/IBM/IWA/TWSDATA/ITA/cpa/ita/cert mkdir backup cp TWSClient* backup Run the following command with nairobi (for Dev) or tws (for Prod) scp iwaadmin@nairobi:/opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert/TWSClientKeyStore* . The authenticity of host 'nairobi.abc.com (10.150.35.59)' can't be established. ECDSA key fingerprint is SHA256:Xwo1hl+qLUsLx5EPpSvatBQVNbn89frtabLOao5QpWQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'nairobi.abc.com,10.150.35.59' (ECDSA) to the list of known hosts. iwaadmin@nairobi.abc.com's password: <enter password for iwaadmin> TWSClientKeyStore.kdb 100% 20KB 12.0MB/s 00:00 TWSClientKeyStore.sth 100% 129 182.5KB/s 00:00 TWSClientKeyStoreJKS.jks 100% 11KB 5.2MB/s 00:00 TWSClientKeyStoreJKS.sth 100% 129 98.6KB/s 00:00 Windows cd \IBM\IWA\TWS\ITA\cpa\ita\cert mkdir backup copy TWSClient* backup Launch Winscp and connect to nairobi (for Dev) or tws (for Prod) as iwaadmin Copy the following files from the nairobi or tws to the DA From Dir: /opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert To Dir: \IBM\IWA\TWS\ITA\cpa\ita\cert Files: TWSClientKeyStore.kdb TWSClientKeyStore.sth TWSClientKeyStoreJKS.jks TWSClientKeyStoreJKS.sth 3. Go to the following directory and edit JobManager.ini Unix cd /opt/IBM/IWA/TWSDATA/ITA/cpa/ita vi ita.ini Windows cd \IBM\IWA\TWS\ITA\cpa\ita notepad ita.ini 4. Make the following changess sl_port=32114 cert_label=agent Add the following new settings sslv3_cipher = NONE tls10_cipher = NONE tls11_cipher = NONE tls12_cipher = DFLT 1.5 Enable a DA When an FTA was installed, the DA was also installed, but not enabled. Follow the steps below to enable the DA.
cd /opt/IBM/IWA/TWSDATA/ITA/cpa/config vi JobManager.ini Windows cd \IBM\IWA\TWS\ITA\cpa\config notepad JobManager.ini 3. Make the following changes in bold ThisWorkstation = <short_hostnem>_DA FullyQualifiedHostname = <short_hostnem>.abc.com ResourceAdvisorUrl = https://nairobi.abc.com:32116/JobManagerRESTWeb/JobScheduler/resource (for Dev) https://tws.abc.com:32116/JobManagerRESTWeb/JobScheduler/resource (for Prod) ComputerSystemDisplayName = <short_hostnem>_DA 4. Start the DA Unix cd /opt/IBM/IWA/TWS ./StartUpLwa Windows cd \IBM\IWA\TWS StartUpLwa 5. Verify that the DA is registered with the server. If it doesn’t show, give it a few minutes and run the following command again. Login as iwaadmin on nairobi (for Dev) or tws (for Prod) conman sc <short_hostnem>_DA 1.6 Prepare the MDM for SSL between MDM <----> FTA Follow the steps below to enable SSL between MDM and FTA communication.
vi localopts 3. Make the following changes in bold nm SSL port =32113 SSL key ="/opt/IBM/IWA/IWS/TWS/ssl/OpenSSL/TWSClient.key" SSL certificate ="/opt/IBM/IWA/IWS/TWS/ssl/OpenSSL/TWSClient.cer" SSL key pwd ="/opt/IBM/IWA/IWS/TWS/ssl/OpenSSL/password.sth" SSL CA certificate ="/opt/IBM/IWA/IWS/TWS/ssl/OpenSSL/TWSTrustCertificates.cer" SSL random seed ="/opt/IBM/IWA/IWS/TWS/ssl/OpenSSL/TWS.rnd" SSL Encryption Cipher =TLSv1.2 CLI SSL cipher=TLSv1.2 4. Update the Workstation definition of the MDM with the following settings in bold. CPUNAME NAIROBI DESCRIPTION "This workstation is the Master Domain Manager (MDM)" OS UNIX NODE nairobi.abc.com TCPADDR 32111 SECUREADDR 32113 TIMEZONE America/Bogota DOMAIN MASTERDM FOR MAESTRO TYPE MANAGER AUTOLINK ON BEHINDFIREWALL OFF SECURITYLEVEL ENABLED FULLSTATUS ON END 5. Update the Workstation definition of each FTA with the following settings in bold. For example, the definition of the FTA, ALCATRAZ, is shownn below. Do not modify the definitions of the MASTERAGENTS, NAIROBI_DWB, and NAIROBI_DA composer cr all.workstations.txt from ws=@ CPUNAME ALCATRAZ OS WNT NODE alcatraz.abc.com TCPADDR 32111 SECUREADDR 32113 TIMEZONE America/Bogota DOMAIN MASTERDM FOR MAESTRO TYPE FTA AUTOLINK ON BEHINDFIREWALL OFF SECURITYLEVEL ON FULLSTATUS OFF END 6. Reimport all modified FTA definitions composer replace all.workstations.txt 7. Update the plan so that all updated FTA definitions are reflected in the plan. optman chg cf = all JnextPlan -for 0000 optman chg cf = yes 8. Stop the MDM conman “stop;wait” conman “shut;wait” 9. Start the MDM cd /opt/IBM/IWA/IWS/TWS ./StartUp conman start 10. Verify that optman and composer can run successfully. optman ls composer li vt=main_table 1.7 Update the SSL settings of an FTA Follow the steps below to update the SSL settings in localopts of the Fault-Tolerant Agent (FTA).
Unix cd /opt/IBM/IWA/TWSDATA vi localopts Windows cd \IBM\IWA\TWS notepad localopts 3. Make the following changes in bold Both nm SSL port =32113 Unix SSL key ="/opt/IBM/IWA/TWS/ssl/OpenSSL/TWSClient.key" SSL certificate ="/opt/IBM/IWA/TWS/ssl/OpenSSL/TWSClient.cer" SSL key pwd ="/opt/IBM/IWA/TWS/ssl/OpenSSL/password.sth" SSL CA certificate ="/opt/IBM/IWA/TWS/ssl/OpenSSL/TWSTrustCertificates.cer" SSL random seed ="/opt/IBM/IWA/TWS/ssl/OpenSSL/TWS.rnd" Windows SSL key ="C:\IBM\IWA\TWS\ssl\OpenSSL\TWSClient.key" SSL certificate ="C:\IBM\IWA\TWS\ssl\OpenSSL\TWSClient.cer" SSL key pwd ="C:\IBM\IWA\TWS\ssl\OpenSSL\password.sth" SSL CA certificate ="C:\IBM\IWA\TWS\ssl\OpenSSL\TWSTrustCertificates.cer" SSL random seed ="C:\IBM\IWA\TWS\ssl\OpenSSL\TWS.rnd" Both SSL Encryption Cipher =TLSv1.2 CLI SSL cipher=TLSv1.2 4. Stop the FTA conman “stop;wait” conman “shut;wait” 5. Start the FTA Unix cd /opt/IBM/IWA/TWS ./StartUp conman link [nairobi for Dev or tws for Prod] conman start Windows cd \IBM\IWA\TWS StartUp conman link [nairobi for Dev or tws for Prod] conman start 6. Verify that composer can be run successfully. composer li vt=main_table 7. Verify that the FTA linked with the server successfully and it shows all the flags, LTI JW, as shown below as an example for ALCATRAZ Login as iwaadmin on nairobi (for Dev) or tws (for Prod) conman sc <short_hostnem> ALCATRAZ 12 WIN FTA 10 0 03/18/20 23:59 LTI JW MASTERDM 2. Renewing the Expired Certificate of the MDM & DWC The CA signed certificates start expiring from Nov 20, 2020. As such, these certificates must be renewed ahead of time in order to keep the various components communicating with each other and not interrupt the execution of the workload automation. Follow the steps below to renew the Certificates for the MDM and DWC.
3. Generate a Certificate Signing Request CSR for the MDM server. keytool -certreq -sigalg SHA256withRSA -alias nairobi.abc.com -file nairobi.csr -keystore IWAServerKeyStore.jks 4. Send the CSR to the CA to be signed. The CA signs the certificate and sends back the signed certificate along with the Root and Intermediate certificates. nairobi.crt sportif.cer ABCRoot.cer 5. Import the signed server certificate. keytool -importcert -file nairobi.cer -keystore IWAServerKeyStore.jks -alias nairobi.abc.com -trustcacerts 6. View the contents of the KeyStore keytool -list -keystore IWAServerKeyStore.jks Keystore type: jks Keystore provider: SUN Your keystore contains 3 entries intermediate.cert, Dec 5, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 75:73:EE:4E:F3:B0:B0:6E:77:1F:49:14:9F:B8:21:E6:46:06:E0:E2 nairobi.abc.com, Jul 14, 2021, PrivateKeyEntry, Certificate fingerprint (SHA1): BA:CA:CC:C0:5F:9E:44:DA:7C:60:23:03:0E:08:A7:12:1E:54:2C:40 root.cert, Dec 5, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 42:BF:FC:22:E5:71:C2:F0:43:96:6D:7D:18:B2:27:BA:97:EE:56:A3 7. Export the Public Key of the server certificate into a file from the KeyStore keytool -exportcert -alias nairobi.abc.com -file nairobi.pub.cer -keystore IWAServerKeyStore.jks -storetype jks 8. Delete the current Public Key from the TrustStore for the MDM keytool -delete -noprompt -alias nairobi.pub -keystore IWAServerTrustStore.jks 9. Import the Public Key of the server certificate keytool -importcert -file nairobi.pub.cer -keystore IWAServerTrustStore.jks -alias nairobi.pub -trustcacerts 10. View the contents of the TrustStore keytool -list -keystore IWAServerTrustStore.jks Enter keystore password: <Enter the Password used when the KeyStore was created> Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries nairobi.pub, Jul 14, 2021, trustedCertEntry, Certificate fingerprint (SHA1): BA:CA:CC:C0:5F:9E:44:DA:7C:60:23:03:0E:08:A7:12:1E:54:2C:40 intermediate.cert, Dec 5, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 75:73:EE:4E:F3:B0:B0:6E:77:1F:49:14:9F:B8:21:E6:46:06:E0:E2 root.cert, Dec 5, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 42:BF:FC:22:E5:71:C2:F0:43:96:6D:7D:18:B2:27:BA:97:EE:56:A3 mykey, Dec 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): D8:96:BF:73:BF:BC:6E:3F:D7:0B:48:95:87:48:28:78:17:3D:DA:ED 11. To view the expiration dates of a certificate, run the following command keytool -list -v -keystore IWAServerTrustStore.jks | more 12. Go to the directory where the DWC KeyStore and TrustStores are located cd /opt/IBM/IWA/DWC/usr/servers/dwcServer/resources/security 13. Copy the updated KeyStore and TrustStore from the MDM cp /opt/IBM/IWA/IWS/usr/servers/engineServer/resources/security/IWAServer* . ls -l -rw-r--r--. 1 iwadmin iwadmin 5507 Nov 12 20:02 IWAServerKeyStore.jks -rw-r--r--. 1 iwadmin iwadmin 6465 Nov 12 21:07 IWAServerTrustStore.jks -rw-------. 1 iwadmin iwadmin 897 Jul 15 17:20 ltpa.keys -rw-r--r--. 1 iwadmin iwadmin 4503 Nov 12 21:48 TWSServerKeyFile.jks -rw-r--r--. 1 iwadmin iwadmin 118579 Nov 12 21:48 TWSServerTrustFile.jks 14. Follow the steps in section 4.24.2.6 Verify that DWC is using the new Certificate 15. If the certificate doesn’t show the new expiration date, restart the DWC WLP as shown below. cd /opt/IBM/IWA/DWC/appservertools ./stopAppServer.sh ./startAppServer.sh 3. Renewing the Expired Certificate of the DA The CA signed certificates start expiring from Nov 20, 2020. As such, these certificates must be renewed ahead of time in order to keep the various components communicating with each other and not interrupt the execution of the workload automation. Follow the steps below to renew the Certificates for the MDM and DWC.
2. Go to the dir where the current KeyStore is located cd /opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert 3. Login as iwaadmin on the agent and set the PATH variable to include the key management tool, gsk8capicmd, provided by IWA export PATH=/opt/IBM/IWA/TWS/tmpGSKit64/8/bin:$PATH 4. Source the script to set the environment as shown below. . /opt/IBM/IWA/opt/tws_env.sh 5. Backup the existing TWSClientKeyStores cd /opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert cp TWSClientKeyStore.kdb TWSClientKeyStore.kdb.orig cp TWSClientKeyStoreJKS.jks TWSClientKeyStoreJKS.jks.orig 6. Generate a CSR from the CMS TWSClientKeyStore.kdb gsk8capicmd_64 -certreq -create -sigalg SHA256withRSA -size 2048 -db TWSClientKeyStore.kdb -label agent -dn "CN=agent.abc.com,OU=IT Division,O=ABC,L=Kingston,ST=Jamaica,C=US" -file agent.csr -stashed 7. Send the CSR, agent.csr, to the CA to be signed and returned. 8. Once the CA signed certificate is received, copy it to where the agent KeyStore is located, /opt/IBM/IWA/IWS/TWSDATA/ITA/cpa/ita/cert, and import it into the CMS TWSClientKeyStore.kdb gsk8capicmd_64 -cert -receive -db TWSClientKeyStore.kdb -file agent.cer -default_cert yes -stashed 9. Extract the public certificate for the agent and copy it to the MDM gsk8capicmd_64 -cert -extract -db TWSClientKeyStore.kdb -label agent -target agent.pub.crt -stashed cp agent.pub.crt /opt/IBM/IWA/IWS/usr/servers/engineServer/resources/security 10. Delete the Public key of the server’s certificate from the KeyStore gsk8capicmd_64 -cert -delete -db TWSClientKeyStore.kdb -label nairobi.pub -stashed 11. Copy the new Public key of the server’s certificate and import it into the KeyStore cp /opt/IBM/IWA/IWS/usr/servers/engineServer/resources/security/nairobi.pub.cer gsk8capicmd_64 -cert -add -db TWSClientKeyStore.kdb -file nairobi.pub.cer -label nairobi.pub -trust enable -stashed 12. View the contents of the KeyStoregsk8capicmd_64 -cert -list -db TWSClientKeyStore.kdb -stashed Source database passwordCertificates found Certificates found * default, - personal, ! trusted, # secret key ! Root.cert ! Intermediate.cert ! nairobi.pub - agent 13. To view the expiration dates of a certificate, run the following command with the label of the certificate gsk8capicmd_64 -cert -details -label Nairobi.pub -db TWSClientKeyStore.kdb -stashed | more 14. Delete the expired public certificate of the DA and import the new public certificate into the Primary MDM server’s TrustStore cd /opt/IBM/IWA/IWS/usr/servers/engineServer/resources/security keytool -delete -noprompt -alias agent.pub -keystore IWAServerTrustStore.jks keytool -importcert -file agent.pub.crt -keystore IWAServerTrustStore.jks -alias agent.pub -trustcacerts 15. View the Certificates in the Server TrustStore keytool -list -keystore IWAServerTrustStore.jks Enter Keystore Password: Keystore type: jks Keystore provider: SUN Your keystore contains 5 entries nairobi.pub, Jul 14, 2021, trustedCertEntry, Certificate fingerprint (SHA1): BA:CA:CC:C0:5F:9E:44:DA:7C:60:23:03:0E:08:A7:12:1E:54:2C:40 intermediate.cert, Dec 5, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 75:73:EE:4E:F3:B0:B0:6E:77:1F:49:14:9F:B8:21:E6:46:06:E0:E2 root.cert, Dec 5, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 42:BF:FC:22:E5:71:C2:F0:43:96:6D:7D:18:B2:27:BA:97:EE:56:A3 mykey, Dec 5, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): D8:96:BF:73:BF:BC:6E:3F:D7:0B:48:95:87:48:28:78:17:3D:DA:ED agent.pub, Jul 14, 2021, trustedCertEntry, Certificate fingerprint (SHA1): 5F:7B:AE:0F:A8:F4:92:E9:AB:F7:93:18:76:56:A4:1F:37:43:B3:C3 16. To view the expiration dates of a certificate, run the following command keytool -list -v -keystore IWAServerTrustStore.jks | more 17. Restart the MDM cd /opt/IBM/IWA/IWS/appservertools ./stopAppServer.sh ./startAppServer.sh 18. Follow the steps in the following sections 4.24.3.3 Convert the CMS TWSClientKeyStore to JKS TWSClientKeyStore 4.24.3.5 Restart Agent and Verify 19. Copy the following files to all DAs to update their KeyStores TWSClientKeyStore.kdb TWSClientKeyStore.sth TWSClientKeyStoreJKS.jks TWSClientKeyStoreJKS.sth 20. For each DA, follow the steps in section 4.24.3.5 Restart Agent and Verify Authors Bio
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
Archives
May 2023
Categories
All
|