Enabling API Key authentication after upgrading
Enabling API Key authentication after upgrading from v 10.1.0.x or v 9.5.x to 10.1 FP x.
About this task
In previous versions of the product, both in fresh and upgrade installation, it was not necessary to add the server public certificate to its truststore. With the new API Key feature, which is implemented in version 10.1 Fix Pack 1 and later, the generated JWT is signed with the server private key. When the JWT is received by the server to authenticate a user, the public key associated with the private key used for signing is not present in the truststore and cannot be used. As a result, the authentication of that user is blocked.
To solve the problem, in fresh installations the server public key is automatically added to its trustore.
When you are upgrading from v 10.1.0.x or v 9.5.x to 10.1 FP x, perform the following steps, depending on the type of certificates you are using:
- .PEM certificates
-
Run the following commands on the master domain manager:
-
keytool -exportcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.jks -storepass password -storetype jks -file /tmp/tls.crt -alias server -noprompt
-
keytool -importcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerTrustFile.jks -storepass password -storetype jks -file /tmp/tls.crt -alias mpjwtkey -noprompt
-
Edit the value of the mp.jwt.trust.key variable from the twstrustkey to mpjwtkey in the jwt_variables.xml file located inside the WebSphere Application Server Liberty Base overrides folder. For more information about templates, see Configuring HCL Workload Automation using templates.
-
- .JKS certificates
-
Run the following commands on the master domain manager:
-
keytool -exportcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.jks -storepass password -storetype jks -file /tmp/tls.crt -alias <alias_cert> -noprompt
-
keytool -importcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerTrustFile.jks -storepass password -storetype jks -file /tmp/tls.crt -alias mpjwtkey -noprompt
- alias_cert
- is the alias of the user public certificate.
-
keytool -list -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.jks
-storepass password -storetype jks