Upgrading in a mixed-version environment when using default certificates

Upgrading in a mixed-version environment when using default certificates

About this task

If your environment contains components, such as agents, Dynamic Workload Console, dynamic domain managers, and so on, at various version levels and you use default certificates, ensure certificates across the environment are consistent.

For example, you might need to install an agent at version 10.2.x, and connect it to a back-level master domain manager.

If you are using default certificates, you need to convert them to the new format and make them available to all components before you start the upgrade, as described in the following steps:

Procedure

  1. Set the HCL Workload Automation environment.
  2. Browse to one of the following paths:
    version 9.5 and later
    TWA_DATA_DIR/usr/servers/engineServer/resources/security
    version 9.4 and earlier
    TWA_home/WAS/TWSProfile/etc
    and run the following commands to extract the master domain manager certificates:
    keytool -importkeystore -srckeystore TWSServerKeyFile.jks 
-destkeystore server.p12 -deststoretype pkcs12
    openssl pkcs12 -in server.p12 -out tls.tot
  3. Open the tls.tot file with any text editor.
  4. Copy the private key and public key into two separate files named respectively tls.key and tls.crt.
    where,
    tls.key
    is the private key
    tls.crt
    is the public key
  5. Copy the contents of the tls.crt file into a new file named ca.crt.
  6. Create a file named tls.sth containing the passphrase you have specified for creating the .p12 certificate in step 2, encoded in base64 format. To create the tls.sth file, use the following command: 
    secure -password your_password -base64 e -out tls.sth
    If you are using a version earlier than 10.x, you can find the secure script in the installation package of the 10.2.1 version you are upgrading to. You can launch the script from on of the following paths:
    master domain manager and agent
    <10.2.1_extracted_image_dir>/TWS/<interp>/Tivoli_LWA_<interp>/TWS/bin
    Dynamic Workload Console
    <10.2.1_extracted_image_dir>/DWC/<interp>/bin
    where
    <interp>
    is the operating system you are installing on
  7. Extract the client certificates from the TWA_DATA_DIR/ssl/GSKit folder by running the following command: 
    gsk8capicmd_64 -cert -extract -db path_to_TWSClientKeyStore.kdb 
-stashed -label client -target client.crt
  8. Insert the client.crt in the additionalCAs folder when providing the certificates to the installation script with the sslkeysfolder parameter.

Results

You have now converted the certificates to the required .PEM format.

What to do next

You can now use the new default certificates for installing or upgrading HCL Workload Automation components, as follows:
If your master domain manager is at least at 10.1 FP1 level
you can copy the certificates you converted with the above procedure to the /depot folder on the master domain manager and install or upgrade dynamic agents and fault-tolerant agents specifying the wauser and wapassword parameters. For all remaining components, copy the certificates locally and launch the installation or upgrade specifying the sslkeysfolder and sslpassword parameters.
If your master domain manager is at a version earlier than 10.1 FP1 level
copy the certificates you converted with the above procedure locally on all components and launch the installation or upgrade specifying the sslkeysfolder and sslpassword parameters.

For more information about all installation and upgrade parameters, see the serverinst, dwcinst, and twsinst scripts in Reference.