Generating a trusted keystore

Follow this procedure to create an identity keystore and a trusted keystore for configuring Unica Deliver to communicate with HCL Unica hosted services over SSL. You add the keystores to the web application server when you configure SSL.

About this task

HCL uses the following sample values in the procedures contained in this section.

  • Identity keystore: HCLUnicaClientIdentity.jks
  • Alias for the identity keystore: HCLUnicaClientIdentity
  • Password (-storepass) for the identity keystore: clientPwd
  • The security key (-keypass) for the identity keystore: clientPwd
  • Certificate based on the identity keystore: ClientCertificate.cer
  • Trusted keystore: HCLUnicaTrust.jks
  • Password (-storepass) for the trusted keystore: trustPwd

The actual values that you enter must be specific to your installation.

To complete steps in this procedure, run the Java keytool utility from the command line.

Procedure

  1. Generate an identity keystore. Use the genkey command, as shown in the following example.

    The example creates an identity keystore named HCLUnicaClientIdentity.jks. You can use a different name for the identity keystore that you create.

    keytool -genkey -alias HCLUnicaClientIdentity -keyalg RSA -keystore <HCLUnicaClientIdentity.jks> -keypass <clientPwd> -validity 1000 -dname "CN=hostName, O=myCompany" -storepass <clientPwd>

    Note the following.

    • You use the values for alias, keystore, keypass, and storepass later in this procedure and when you configure SSL in the web application server.
    • For WebSphere®, the keystore password (-storepass) and the key password (-keypass) must be the same.
    • In the distinguished name (-dname) the common name (CN) is the same as the host name used to access HCL Unica hosted services. For example, if the URL for HCL Unica hosted services is https://hostName.example.com:7002/unica/jsp, then the CN is hostName.example.com. The CN portion of the distinguished name is the only required portion; Organization (O) and Organizational Unit (OU) are not required.
  2. Generate a certificate based on the identity keystore. Use the export command, as shown in the following example.

    The example generates a certificate named ClientCertificate.cer. You can use a different name for the certificate that you create.

    The values for keystore, storepass, and alias must match the values you specified for the identity keystore.

    keytool -export -keystore <HCLUnicaClientIdentity.jks> -storepass <clientPwd> -alias HCLUnicaClientIdentity -file <ClientCertificate.cer>

  3. Generate the trusted keystore. Use the import command, as shown in the following example.

    The example generates a trusted keystore named HCLUnicaTrust.jks. You can use a different name for the trusted keystore that you create.

    keytool –import -alias HCLUnicaClientIdentity -file <ClientCertificate.cer> -keystore <HCLUnicaTrust.jks> -storepass <trustPwd>

    Type Y when prompted to trust the certificate.

What to do next

Note the values that you defined for the following variables. Your values can be different from the values given in the example.
  • alias (in the example: HCLUnicaClientIdentity)
  • identity keystore (in the example: HCLUnicaClientIdentity.jks)
  • storepass (in the example: trustPwd) The storepass value for the trusted keystore can be different from the storepass value for the identity keystore and certificate.
  • keystore (in the example: HCLUnicaTrust.jks) Depending on your web application server, you also specify the identity keystore.

You specify these installation-specific values when you configure SSL on the web application server for your HCL Unica installation.