Creating a self signed certificate

To generate the certificate for a broker you can use the IBM Key Management tool. This tool is provided with the BigFix® Remote Control application and with IBM WebSphere Application Server.

About this task

You can access the IBM Key Management tool if you have the BigFix® Remote Control server installed with embedded components and also if you have the controller component installed. It is also provided by IBM WebSphere Application Server .
Note: If you are using WAS you should make sure that the 7.0.0-WS-WASSDK-*-FP0000021 update or later has been applied, where * is the platform. For example 7.0.0-WS-WASSDK-WinX32-FP0000021
To create a new keystore complete the following steps

Procedure

  1. Open a command prompt window.
  2. Navigate to one of the following directories depending on where you will run the key tool from. For example, on a Windows system, go to C:\Program Files (x86)\IBM\Tivoli\TRC\server\java\jre\bin
    Remote control server installed with embedded components
    Navigate to the BigFix® Remote Control installation directory.
    WAS installed
    Navigate to the WAS installation directory.
    Controller component installed
    Navigate to the ...\Controller\jre directory . For example ,
    Windows systems
    C:\Program Files\IBM\tivoli\Remote Control\Controller\jre
    Linux systems
    /opt/ibm/trc/controller/jre
  3. Change to the bin directory.
  4. Run the ikeyman file relevant to your operating system.
    Windows systems
    ikeyman.bat
    Linux systems
    ikeyman.sh
  5. Select Key Database File > New
  6. Select PKCS12 for Key database type.
  7. Click Browse, navigate to the location you want to store the keystore, type a filename for your file and click Save.
  8. Click OK.
  9. Enter and confirm a password to protect the keystore and click OK.
  10. Select Create > New Self-Signed Certificate
  11. Enter a name for the Key Label.
    For example, the hostname of the broker.
    This is the name that will be displayed in the Personal Certificates list in the key management tool GUI.
  12. Select X509 V3 for the Version.
  13. Select a Key Size value.
    Default is 1024. Recommended value is 2048.
  14. Select a Signature Algorithm
    This is a cryptographic algorithm for digital signatures and should be left as the default value SHA256WithRSA.
  15. Type a Common Name .
    Set to the DNS host name and domain of your broker.
    For example trcbroker.example.com
  16. Enter any additional optional information as required.
  17. Enter a Validity Period.
    This is the number of days that the certificate will be valid for. Default is 365 days.
  18. Click OK.

Results

The .p12 file is created with the name and selected location chosen in step 7 and is displayed in the list of personal certificates in the key management tool GUI.
Note: The key store contains the private key for the certificate and this must be kept secure at all times. It is recommended that the original copy of the keystore is stored in a secure disk, for example an encrypted USB storage device or similar. Keeping a secure backup of the original keystore is also recommended.

What to do next

You should copy the new certificate to the broker machine and configure the broker properties. For more details, see Configuring the keystore on the broker.