Customizing master domain manager certificates

Procedure to use customized certificates for the master domain manager

About this task

The procedure explained below is one of several procedures you can perform to achieve the same results and is intended only as an example. In this procedure, it is assumed your certificates have been signed by a Certificate Authority (CA) you created for this purpose. For more information, see Creating a Certificate Authority. For more information about using an external CA or manually modifying all the keystores and key databases, see Replacing Default SSL Certificates with CA Signed Custom Certificates.

To customize the master domain manager certificates, perform the following steps:

Procedure

  1. On the master domain manager, generate a self-signed certificate or issue a certificate sign request to a CA and import the certificate into TWSServerKeyFile.jks. For example, you can generate the private key to be used for signing the custom certificate by issuing the following command:
    openssl genrsa -des3 -out tls.key 2048
  2. Create the certificate sign request:
    openssl req -new -key tls.key -out tls.csr -config
    /usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
  3. Send the .csr to the CA:
    openssl x509 -req -in tls.csr -days 3650
    -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
    Note: If you do not specify the -CAcreateserial parameter, the default certificate validity of 30 days applies.
  4. After receiving back the signed certificate, you can import the custom certificate along with its private key into TWSServerKeyFile.jks, as follows:
    1. Create a single file containing both:
      cat tls.key tls.crt > tls.tot
    2. Export the resulting file to a PKCS12 keystore:
      openssl pkcs12 -export -out TWSServerKeyFile.p12 -in tls.tot -name server
    3. Import the PKCS12 keystore into TWSServerKeyFile.jks:
      keytool -importkeystore -srckeystore TWSServerKeyFile.p12 -srcstoretype pkcs12
      -destkeystore TWSServerKeyFile.jks -deststoretype jks -srcstorepass password
      -deststorepass password -srcalias server -destalias server
  5. On the master domain manager, import the CA certificate in the TWSServerTrustFile.jks:
    keytool -importcert -file ca.crt -keystore TWSServerTrustFile.jks
    -alias ca -trustcacerts
  6. On the master domain manager, extract the public key to a certificate file from the private key of the master domain manager keystore (TWSServerKeyFile.jks):
    keytool -exportcert -alias server -file pkserver.cer 
    -keystore TWSServerKeyFile.jks -storetype jks
  7. On the master domain manager, edit the TWA_DATA_DIR/broker/config/BrokerWorkstation.properties file and update the list of authorized Common Names for the dynamic domain manager (broker). Append the Common Name used for the custom certificate to the Broker.AuthorizedCNs property:
    Broker.AuthorizedCNs=Server;ServerNew;new_CN
  8. On the dynamic agent, add the certificate extracted at step 6 into the keystore of the dynamic agent TWSClientKeyStore.kdb and into TWSClientKeyStoreJKS.jks:
    gsk8capicmd_64 -cert -add -db TWSClientKeyStore.kdb 
    -file pkserver.cer -label server -trust enable -stashed
  9. Add the same certificate to TWSClientKeyStoreJKS.jks:
    keytool -importcert -file pkserver.cer -keystore TWSClientKeyStoreJKS.jks 
    -alias server

Using JWT and .jks certificates on the master domain manager

About this task

You can use .jks certificates to ensure communication is encrypted and JWT (Java Web Token) to avoid sending the certificate at each exchange between server and agent. To use both methods, perform the following steps:

Procedure

  1. Browse to the ssl_variables.xml file, located in:
    On Windows operating systems
    installation_directory\usr\servers\engineServer\configDropins\overrides\
    On UNIX operating systems
    TWA_DATA_DIR/usr/servers/engineServer/configDropins/overrides
  2. Edit the file with a flat-text editor and add the following line:
    <variable name="mp.jwt.trust.key" value="key_alias_name"/>
    where
    key_alias_name
    is the key alias name of the .jks certificate.
    The change is immediately effective.