Extract certificates from an existing keystore on a master domain manager

About this task

If you need to extract the certificates from a keystore on a master domain manager to provide them to the backup master domain manager or Dynamic Workload Console, you can use Certman to extract the required certificates.

Extract certificates from version 10.2.3 or later

About this task

You can extract certificates from an existing keystore on a master domain manager V10.2.3 or later by completing the following steps:

Procedure

  1. Browse to TWS_INST_DIR/TWS/bin, where TWS_INST_DIR is the HCL Workload Automation installation directory.
  2. Extract the certificates by running the following command: 
    certman extract -outpath <output path> [-storepasswd <pw>] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]

    Where:

    outpath
    Specify the folder where store the certificates.
    storepasswd
    Optionally, specify the password of the keystore on the master domain manager.
    Note: For version 9.4.x, this parameter is required.
    wauser
    Optionally, specify the TWS_user that must be set as owner of the output files.
    wagroup
    Optionally, specify the TWS_user that must be set as group of the output files..
    Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.
    workdir
    Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.
    cachain-splitted
    Optionally, specify the CA chain to be splitted into multiple files. By default, it is false.

Results

The following output files are the certificates you can find in the specified output folder:
  • ca.crt
    The file that contains the intermediate CA certificate and ends up with the Root ca.
    Note: If you enabled the cachain-splitted parameter, the ca.crt contains only the Root ca. The intermediate CA certificates are stored in the additionalCAs subfolder.
  • tls.crt
    The certificate signed and validated by the CA.
  • tls.key
    The private key of the tls certificate.
  • tls.sth
    The stash file of the tls certificate that contains the password encoded in Base64 format.
  • additionalCAs
    The subfolder where any intermediate CA certificate extracted by the truststore is stored.

Extract certificates from a previous product version level

About this task

You can extract certificates from a previous product version level by completing the following steps:

Procedure

  1. From Flexnet or from HCL Software, download the 10.2.3 installation package: HWA_10.2.3_<component>_<operating_system>.zip
  2. Extract the content, browse to the path <IMAGE_DIR>/TWS/<OPERATING_SYSTEM>_<ARCHITECTURE>/Tivoli_LWA_<operating_system>/TWS/bin/ , and copy the following files:
    • certman
    • certman.extract.json
    • certman.generate.json
    • certman.import.json
    • certman.verify.json
    • certman.version.json
  3. Paste the Certman files into the following path: TWS_INST_DIR/TWS/bin, where TWS_INST_DIR is the HCL Workload Automation installation directory.
    Note: For UNIX systems, ensure that all the files have the ownership of the user who installed the master domain manager and the correct permissions (775 for certman and 644 for the json files).
  4. Extract the certificates by running the following command: 
    certman extract -outpath <output path> [-storepasswd <pw>] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]

    Where:

    outpath
    Specify the folder where store the certificates.
    storepasswd
    Optionally, specify the password of the keystore on the master domain manager.
    Note: For version 9.4.x, this parameter is required.
    wauser
    Optionally, specify the TWS_user that must be set as owner of the output files.
    wagroup
    Optionally, specify the TWS_user that must be set as group of the output files..
    Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.
    workdir
    Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.
    cachain-splitted
    Optionally, specify the CA chain to be splitted into multiple files. By default, it is false.

Results

The following output files are the certificates you can find in the specified output folder:
  • ca.crt
    The file that contains the intermediate CA certificate and ends up with the Root ca.
    Note: If you enabled the cachain-splitted parameter, the ca.crt contains only the Root ca. The intermediate CA certificates are stored in the additionalCAs subfolder.
  • tls.crt
    The certificate signed and validated by the CA.
  • tls.key
    The private key of the tls certificate.
  • tls.sth
    The stash file of the tls certificate that contains the password encoded in Base64 format.
  • additionalCAs
    The subfolder where any intermediate CA certificate extracted by the truststore is stored.