Customizing master domain manager and Dynamic Workload Console certificates

Supported scenarios for creating custom certificates for communication between master domain managerand Dynamic Workload Console

About this task

The procedure explained below is one of several procedures you can perform to achieve the same results and is intended only as an example. In this procedure, it is assumed your certificates have been signed by a Certificate Authority (CA) you created for this purpose. For more information, see Creating a Certificate Authority. For more information about using an external CA or manually modifying all the keystores and key databases, see Replacing Default SSL Certificates with CA Signed Custom Certificates.

To customize the certificates for communication between master domain manager and Dynamic Workload Console, perform the following steps:

Procedure

  1. On the master domain manager, generate a self-signed certificate or issue a certificate sign request to a CA and import the certificate into TWSServerKeyFile.jks. For example, you can generate the private key to be used for signing the custom certificate by issuing the following command:
    openssl genrsa -des3 -out tls.key 2048
  2. Create the certificate sign request:
    openssl req -new -key tls.key -out tls.csr -config
    /usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
  3. After receiving back the signed certificate, you can import the custom certificate along with its private key into TWSServerKeyFile.jks, as follows:
    1. Create a single file containing both:
      cat tls.key tls.crt > tls.tot
    2. Export the resulting file to a PKCS12 keystore:
      openssl pkcs12 -export -out TWSServerKeyFile.p12 -in tls.tot -name server
    3. Import the PKCS12 keystore into TWSServerKeyFile.jks:
      keytool -importkeystore -srckeystore TWSServerKeyFile.p12 -srcstoretype pkcs12
      -destkeystore TWSServerKeyFile.jks -deststoretype jks -srcstorepass password
      -deststorepass password -srcalias server -destalias server
  4. On the master domain manager, import the CA certificate in the TWSServerTrustFile.jks:
    keytool -importcert -file ca.crt -keystore TWSServerTrustFile.jks
    -alias ca -trustcacerts
  5. Copy the TWSServerKeyFile.jks and TWSServerTrustFile.jks files from the master domain manager to the Dynamic Workload Console, overwriting the existing files.