Create SSL keystore file (DCAS only)

In order to communicate with a DCAS server, an SSL connection must be established using client authentication. This requires you to specify a keystore file. The supported keystore file types are PKCS12, JKS, or JCEKS (PKCS12 is not supported on Solaris). To create a keystore file to specify in the CMPI_DCAS_TRUSTSTORE parameter, use the Certificate Management tool (also known as the IBM® Key Management tool). This keystore file must contain the ZIETrans DCAS client's certificate and the DCAS server's certificate (public key) information.

Important notice: With version 10 onwards, the IBM Key Management Utility is no longer supported by IBM SDP. Developers should utilize either the standard Java keytool (SDP_Installation_location\jdk\bin\keytool.exe) or the certificate management features provided by the target application server (e.g., WebSphere, Tomcat) for general key and certificate tasks."

Detailed documentation on IBM and OpenJDK Keytool:

https://www.ibm.com/docs/en/sdk-java-technology/8?topic=commands-creating-adding-data-keystore

https://cr.openjdk.org/~jjg/8261930/docs/specs/man/keytool.html

Note:
  1. If you set the CMPI_DCAS_USE_DEFAULT_TRUSTSTORE parameter to true, the JSSE default keystore file is used instead of the keystore file specified by the CMPI_DCAS_TRUSTSTORE parameter, and must contain the ZIETrans DCAS client's certificate and the DCAS server's certificate (public key) information.
  2. The ZIETrans DCAS client's certificate must also be added/imported to the DCAS server's keystore file for SSL client authentication.

Below is an example of how to create a new keystore file named ZietransWelkeys.jks that will be specified in the CMPI_DCAS_TRUSTSTORE parameter.

Create a new JKS keystore with password
keytool -genkeypair -alias <DummyAliasName> -keyalg RSA -dname "CN=dummy" -validity 1 -storepass <YourStrongPassword> -keystore ZietransWelkeys.jks -storetype JKS
Note:
Replace keyalgo details as per your organization's details.
Add the DCAS server certificate as a trusted signer certificate.
keytool -importcert -trustcacerts -noprompt -alias dcas-server-ca -file <dcas_server_cert.der>  -keystore ZietransWelkeys.jks -storetype JKS -storepass <YourStrongPassword>
Import your DCAS client personal certificate and private key from an existing .p12
keytool -importkeystore -srckeystore <client_certificate.p12> -srcstoretype PKCS12 -srcstorepass P12password -destkeystore <DCAS_Client_Keystore.jks> -deststoretype JKS -deststorepass <YourStrongPassword> -destkeypass <YourStrongPassword>

Alternatively, generate the Keypair and create a Certificate Signing Request (CSR). Import the signed certificate and the CA chain into the DCAS Client keystore. More information: https://www.ibm.com/docs/en/sdk-java-technology/8?topic=examples-generating-your-key-pair