Creating and configuring certificates

This procedure describes how to create and configure your own certificates for your setup.

About this task

The following procedure describes how to create and configure self-signed certificates for Campaign and Marketing Platform.

For additional details on using GSKit, see http://www.ibm.com/developerworks/security/tutorials/se-gskit/. You can use these steps as a guide for configuring certificates for other HCL® Marketing Software products.

Procedure

  1. Use GSKit to generate SSL certificates as follows.
    1. Create and initialize a new key database.

      For example:

      gsk8capicmd_64 -keydb -create -populate -db Campaign.kdb -pw password -stash

      The -stash option is required for Campaign.
    2. Use GSKit to generate a self-signed certificate for Campaign and store it in the key database, as follows.

      For example:

      gsk8capicmd_64 -cert -create -db Campaign.kdb -dn "CN=example.com,O=domain,C=IN" -expire 3650 -pw password -size 1024 -label exampleLabel -default_cert yes
    3. Extract the public part of the certificate to a file.

      For the clients to trust a certificate, its public part needs to be distributed to the clients and stored in their key databases. In this step, you export the public part of the Campaign certificate. You import it in a later step.

      For example:

      gsk8capicmd_64 -cert -extract -db Campaign.kdb -stashed -label exampleLabel -target Campaigncert.arm
  2. Import the Campaigncert.arm file into the application server where the Campaign web application is deployed.
    1. Copy the Campaigncert.arm file to the Campaign web application server.
    2. Add the Campaigncert.arm file in the NodeDefaultTrustStore of the WebSphere Application Server by completing the following steps:
      1. Click Security > SSL Certificate and key management > Key stores and certificates.
      2. Click NodeDefaultTrustStore > Signer certificates.
      3. Click Add and provide the Alias and the path where the Key.arm file is copied.
      4. Click OK.
  3. Use keytool to generate and import a Java identity certificate for Marketing Platform as follows.
    1. Generate the Marketing Platform identity certificate.

      For example:

      ./keytool -genkey -alias PlatformClientIdentity -keyalg RSA -keystore PlatformClientIdentity.jks -keypass password -validity 3650 -dname "CN=example.com" -storepass password
    2. Export the certificate from keystore (PlatformClientIdentity in the example) into a file ( PlatformCertificate.cer in the example).

      ./keytool -export -keystore PlatformClientIdentity.jks -storepass password -alias PlatformClientIdentity -file PlatformCertificate.cer

    3. Import the certificate that you exported into the Marketing Platform keystore (PlatformTrust.jks in the example).

      For example:

      ./keytool -import -alias PlatformClientIdentity -file PlatformCertificate.cer -keystore PlatformTrust.jks -storepass password
  4. Extract Personal and Signer certificates from the IBM Campaign WebSphere Application Server.
    1. Click Security > SSL Certificate and key management > Key stores and certificates.
    2. Click NodeDefaultTrustStore > Personal certificates.
    3. Select the default certificate.
    4. Provide the Certificate file name and a valid path in Campaign web application server, and click OK.
    5. Click NodeDefaultTrustStore > Signer certificates.
    6. Select the default certificate.
    7. Provide the Certificate file name and a valid path in Campaign web application server, and click OK.
  5. Import the Personal and Signer certificates into the listener keystore database.
    1. Copy the ClientPersonal.cer and ClientSigner.cer certificates to the Listener server.
    2. Import the Personal and Signer certificates to the listener keystore database by using the gsk8capicmd_64 command from the location from where listener keystore database (Campaigncert.kdb) was created.
      gsk8capicmd_64 -cert -add -db Campaigncert.kdb -stashed -label ClientPersonalKey -file ClientPersonal.cer
      gsk8capicmd_64 -cert -add -db Key.kdb -stashed -label ClientSignerlKey -file ClientSigner.cer
  6. Exchange certificates between Campaign and Marketing Platform.
    1. Use keytool to import the Campaign certificate into the Marketing Platform identity and keystore.

      For example:

      ./keytool -import -file PATH_TO_GSKit_certificate/Campaigncert.arm -alias listenerkey2 -keystore PATH_TO_JAVA_CERTIFICATE/PlatformClientIdentity.jks ./keytool -import -file PATH_TO_GSKit_certificate/Campaigncert.arm -alias listenerkey2 -keystore PATH_TO_JAVA_CERTIFICATE/PlatformTrust.jks
    2. Use GSKit to import the Marketing Platform certificate into the Campaign key database.

      For example:

      gsk8capicmd_64 -cert -add -db Campaign.kdb -stashed -label PlatformClientIdentity -file PATH_TO_JAVA_CERTIFICATE/PlatformCertificate.cer
  7. Use keytool to import the Java certificate and Campaign GSKit certificate into the application server Java keystore.
    1. Import the Marketing Platform Java certificate.

      For example:

      ./keytool -import -file PATH_TO_JAVA_CERTIFICATE/PlatformCertificate.cer -alias platformkey1 -keystore APPLICATION_SERVER_HOME/java/jre/lib/security/cacerts <Password: changeit>
    2. Import the Campaign GSKit certificate.

      For example:

      keytool -import -file PATH_TO_GSKit_certificate/campaign.arm -alias CampaignListener -keystore APPLICATION_SERVER_HOME/java/jre/lib/security/cacerts
  8. If the Campaign Listener is using SSL, In the unicaACListener settings set useSSL to TRUE, otherwise set it to FALSE.
  9. Restart the Campaign Application Server and the Campaign Listener.