Extract certificates from the keystore and truststore

About this task

You can use Certman to extract certificates from the keystore and truststore on a master domain manager, an agent, or the Dynamic Workload Console to provide them to the backup master domain manager or Dynamic Workload Console. Ensure that all certificates use a minimum key length of 2048 bits.

Extract certificates from version 10.2.3 or later

About this task

You can extract certificates from the keystore and truststore on a master domain manager, an agent, or the Dynamic Workload Console V10.2.3 or later by completing the following steps:

Procedure

  1. Browse to one of the following installation bin paths, according to the component from which you want to extract the certificate:
    Master domain manager
    <MDM_INST_PATH>/TWS/bin/certman, where <MDM_INST_PATH> is the master domain manager installation directory.
    Dynamic Workload Console
    <DWC_INST_PATH>/bin/certman, where <DWC_INST_PATH> is the Dynamic Workload Console installation directory.
    Agent
    <AGENT_INST_PATH>/TWS/bin/certman, where <AGENT_INST_PATH> is the agent installation directory.
  2. Extract the certificates by running the following command: 
    certman extract -outpath <output path> [-storepasswd <pw>] [-agentscope] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]

    Where:

    outpath
    Specify the folder where to store the certificates.
    storepasswd
    Optionally, specify the password of the keystore on the master domain manager.
    Note: For version 9.4.x, this parameter is required.
    Note: If the password contains wildcards, enclose the password in single quotes. For example:
    -keypasswd 'passw!rd'
    agentscope
    Optionally, add the parameter to the command to extract certificates from the keystore of the agent on which you are launching Certman.
    wauser
    Optionally, specify the TWS_user that must be set as owner of the output files.
    wagroup
    Optionally, specify the TWS_user that must be set as group of the output files..
    Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.
    workdir
    Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.
    cachain-splitted
    Optionally, specify the CA chain to be splitted into multiple files. By default, it is false.

Results

The following output files are the certificates you can find in the specified output folder:
  • ca.crt
    The file that contains the intermediate CA certificate and ends up with the Root ca.
    Note: If you enabled the cachain-splitted parameter, the ca.crt contains only the Root ca. The intermediate CA certificates are stored in the additionalCAs subfolder.
  • tls.crt
    The certificate signed and validated by the CA.
  • tls.key
    The private key of the tls certificate.
  • tls.sth
    The stash file of the tls certificate that contains the password encoded in Base64 format.
  • additionalCAs
    The subfolder where any intermediate CA certificate extracted by the truststore is stored.

Extract certificates from a previous product version level

About this task

You can extract certificates from a previous product version level by completing the following steps:

Procedure

  1. From HCLSoftware, download the 10.2.6 installation package: HWA_<version>_<component>_<operating_system>.zip
  2. Extract the content, browse to the path <IMAGE_DIR>/TWS/<OPERATING_SYSTEM>_<ARCHITECTURE>/Tivoli_LWA_<operating_system>/TWS/bin/ , and copy the following files:
    • certman
    • certman.extract.json
    • certman.generate.json
    • certman.import.json
    • certman.verify.json
    • certman.version.json
  3. Paste the Certman files into the following path: TWS_INST_DIR/TWS/bin, where TWS_INST_DIR is the HCL Workload Automation installation directory.
    Note: For UNIX systems, ensure that all the files have the ownership of the user who installed the master domain manager and the correct permissions (775 for certman and 644 for the json files).
  4. Extract the certificates by running the following command: 
    certman extract -outpath <output path> [-storepasswd <pw>] [-agentscope] [-wauser <user>] [-wagroup <group>] [-workdir <working directory>] [-cachain-splitted]

    Where:

    outpath
    Specify the folder where to store the certificates.
    storepasswd
    Optionally, specify the password of the keystore on the master domain manager.
    Note: For version 9.4.x, this parameter is required.
    Note: If the password contains wildcards, enclose the password in single quotes. For example:
    -keypasswd 'passw!rd'
    agentscope
    Optionally, add the parameter to the command to extract certificates from the keystore of the agent on which you are launching Certman.
    wauser
    Optionally, specify the TWS_user that must be set as owner of the output files.
    wagroup
    Optionally, specify the TWS_user that must be set as group of the output files..
    Note: To specify an owner and group in wauser and wagroup parameters, the user who launches Certman must have the permissions to change the owner and group on output files.
    workdir
    Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.
    cachain-splitted
    Optionally, specify the CA chain to be splitted into multiple files. By default, it is false.

Results

The following output files are the certificates you can find in the specified output folder:
  • ca.crt
    The file that contains the intermediate CA certificate and ends up with the Root ca.
    Note: If you enabled the cachain-splitted parameter, the ca.crt contains only the Root ca. The intermediate CA certificates are stored in the additionalCAs subfolder.
  • tls.crt
    The certificate signed and validated by the CA.
  • tls.key
    The private key of the tls certificate.
  • tls.sth
    The stash file of the tls certificate that contains the password encoded in Base64 format.
  • additionalCAs
    The subfolder where any intermediate CA certificate extracted by the truststore is stored.