Enabling API Key authentication after upgrading

Enabling API Key authentication after upgrading from v 10.1.0.x or v 9.5.x to 10.1 FP x.

About this task

In previous versions of the product, both in fresh and upgrade installation, it was not necessary to add the server public certificate to its truststore. With the new API Key feature, which is implemented in version 10.1 Fix Pack 1 and later, the generated JWT is signed with the server private key. When the JWT is received by the server to authenticate a user, the public key associated with the private key used for signing is not present in the truststore and cannot be used. As a result, the authentication of that user is blocked.

To solve the problem, in fresh installations the server public key is automatically added to its trustore.

When you are upgrading from v 10.1.0.x or v 9.5.x to 10.1 FP x, perform the following steps, depending on the type of certificates you are using:

.PEM certificates

Run the following commands on the master domain manager:

  1. keytool -exportcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.jks 
    -storepass password -storetype jks -file /tmp/tls.crt -alias server -noprompt
  2. keytool -importcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerTrustFile.jks 
    -storepass password -storetype jks -file /tmp/tls.crt -alias mpjwtkey -noprompt
  3. Edit the value of the mp.jwt.trust.key variable from the twstrustkey to mpjwtkey in the jwt_variables.xml file located inside the WebSphere Application Server Liberty Base overrides folder. For more information about templates, see Configuring HCL Workload Automation using templates.

.JKS certificates
Run the following commands on the master domain manager:
  1. keytool -exportcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.jks 
    -storepass password -storetype jks -file /tmp/tls.crt -alias <alias_cert> -noprompt
  2. keytool -importcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerTrustFile.jks 
    -storepass password -storetype jks -file /tmp/tls.crt -alias mpjwtkey -noprompt
Where
alias_cert
is the alias of the user public certificate.
If you do not remember what the public certificate alias is called, run the following command to retrieve the list of certificates within the keystore:
keytool -list -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.jks 
-storepass password -storetype jks