Extract certificates from the keystore and trustore

About this task

You can use Certman to extract certificates from the keystore and trustore on a master domain manager, an agent, or the Dynamic Workload Console to provide them to the backup master domain manager or Dynamic Workload Console.

Extract certificates from version 10.2.3 or later

About this task

You can extract certificates from the keystore and trustore on a master domain manager, an agent, or the Dynamic Workload Console V10.2.3 or later by completing the following steps:

Procedure

Browse to one of the following installation bin paths, according to the component from which you want to extract the certificate:

Master domain manager

<MDM_INST_PATH>/TWS/bin/certman, where <MDM_INST_PATH> is the master domain manager installation directory.

Dynamic Workload Console

<DWC_INST_PATH>/bin/certman, where <DWC_INST_PATH> is the Dynamic Workload Console installation directory.

Agent

<AGENT_INST_PATH>/TWS/bin/certman, where <AGENT_INST_PATH> is the agent installation directory.
Extract the certificates by running the following command:
```
certman extract -outpath <output path> [-storepasswd <pw>] [-agentscope] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]
```
Where:

outpath

Specify the folder where to store the certificates.

storepasswd

Optionally, specify the password of the keystore on the master domain manager.

Note: For version 9.4.x, this parameter is required.

agentscope

Optionally, specify that the action performed by the command applies to the keystore of an agent.
Note: To target the keystore of a master domain manager, omit the agentscope option and run the command separately.

wauser

Optionally, specify the TWS_user that must be set as owner of the output files.

wagroup

Optionally, specify the TWS_user that must be set as group of the output files..
Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.

workdir

Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.

cachain-splitted

Optionally, specify the CA chain to be splitted into multiple files. By default, it is false.

Results

The following output files are the certificates you can find in the specified output folder:

ca.crt

The file that contains the intermediate CA certificate and ends up with the Root ca.
Note: If you enabled the cachain-splitted parameter, the ca.crt contains only the Root ca. The intermediate CA certificates are stored in the additionalCAs subfolder.
tls.crt

The certificate signed and validated by the CA.
tls.key

The private key of the tls certificate.
tls.sth

The stash file of the tls certificate that contains the password encoded in Base64 format.
additionalCAs

The subfolder where any intermediate CA certificate extracted by the truststore is stored.

Extract certificates from a previous product version level

About this task

You can extract certificates from a previous product version level by completing the following steps:

Procedure

From HCL Software, download the 10.2.5 installation package: HWA_10.2.4_<component>_<operating_system>.zip
Extract the content, browse to the path <IMAGE_DIR>/TWS/<OPERATING_SYSTEM>_<ARCHITECTURE>/Tivoli_LWA_<operating_system>/TWS/bin/ , and copy the following files:
- certman
- certman.extract.json
- certman.generate.json
- certman.import.json
- certman.verify.json
- certman.version.json
Paste the Certman files into the following path: TWS_INST_DIR/TWS/bin, where TWS_INST_DIR is the HCL Workload Automation installation directory.

Note: For UNIX systems, ensure that all the files have the ownership of the user who installed the master domain manager and the correct permissions (775 for certman and 644 for the json files).
Extract the certificates by running the following command:
```
certman extract -outpath <output path> [-storepasswd <pw>] [-agentscope] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]
```
Where:

outpath

Specify the folder where to store the certificates.

storepasswd

Optionally, specify the password of the keystore on the master domain manager.

Note: For version 9.4.x, this parameter is required.

agentscope

Optionally, specify that the action performed by the command applies to the keystore of an agent.
Note: To target the keystore of a master domain manager, omit the agentscope option and run the command separately.

wauser

Optionally, specify the TWS_user that must be set as owner of the output files.

wagroup

Optionally, specify the TWS_user that must be set as group of the output files..
Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.

workdir

Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.

cachain-splitted

Optionally, specify the CA chain to be splitted into multiple files. By default, it is false.

Results

The following output files are the certificates you can find in the specified output folder:

ca.crt

The file that contains the intermediate CA certificate and ends up with the Root ca.
Note: If you enabled the cachain-splitted parameter, the ca.crt contains only the Root ca. The intermediate CA certificates are stored in the additionalCAs subfolder.
tls.crt

The certificate signed and validated by the CA.
tls.key

The private key of the tls certificate.
tls.sth

The stash file of the tls certificate that contains the password encoded in Base64 format.
additionalCAs

The subfolder where any intermediate CA certificate extracted by the truststore is stored.