Customizing dynamic agent certificates
Procedure to use customized certificates for the dynamic agent
About this task
To customize dynamic agent certificates, perform the following steps:
Procedure
-
On the master domain manager,
generate a self-signed certificate or issue a certificate sign request to a CA.
For example, you can generate the private key to be used for signing the custom
certificate by issuing the following command:
openssl genrsa -des3 -out tls.key 2048
-
Create the certificate sign request:
openssl req -new -key tls.key -out tls.csr -config /usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
-
Send the .csr to the CA:
openssl x509 -req -in tls.csr -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
Note: If you do not specify the -CAcreateserial parameter, the default certificate validity of 30 days applies. - Run the AgentCertificateDownloader script on the dynamic agent. The script connects to the master domain manager, downloads the certificates in .PEM format (tls.key, tls.crt, ca.crt files), and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents - AgentCertificateDownloader script.
-
On the master domain manager,
import the CA certificate in the
TWSServerTrustFile.jks:
keytool -importcert -file ca.crt -keystore TWSServerTrustFile.jks -alias ca -trustcacerts
-
On the master domain manager,
extract the public key to a certificate file from the private key of the
master domain manager keystore
(TWSServerKeyFile.jks):
keytool -exportcert -alias server -file pkserver.cer -keystore TWSServerKeyFile.jks -storetype jks
-
On the master domain manager,
edit the TWA_DATA_DIR/broker/config/BrokerWorkstation.properties file and
update the list of authorized Common Names for the dynamic domain manager (broker). Append
the Common Name used for the custom certificate to the
Broker.AuthorizedCNs
property:Broker.AuthorizedCNs=Server;ServerNew;new_CN
-
On the dynamic agent,
add the certificate extracted at step 6 into the keystore of the dynamic agent
TWSClientKeyStore.kdb and into
TWSClientKeyStoreJKS.jks:
gsk8capicmd_64 -cert -add -db TWSClientKeyStore.kdb -file pkserver.cer -label server -trust enable -stashed
-
Add the same certificate to
TWSClientKeyStoreJKS.jks:
keytool -importcert -file pkserver.cer -keystore TWSClientKeyStoreJKS.jks -alias server
Configuring custom certificates for the remote broker resource CLI
About this task
To customize dynamic agent certificates, perform the following steps:
Procedure
-
On the dynamic agent, generate a self-signed certificate or import the certificate from a
certificate authority into the agent keystore
TWSClientKeyStore.kdb.
- Import the certification authority keys also into TWSClientKeyStoreJKS.jks.
- If you have generated a self-signed certificate in TWSClientKeyStore.kdb, export it and import it into TWSClientKeyStoreJKS.jks.
- On the dynamic agent, extract to a file the certificate generated at step 1 from the dynamic agent keystore.
- On the master domain manager, add the certificate extracted at step 2 into the truststore of the master domain manager (TWSServerTrustFileTrust.jks).