Extracting default certificates
Procedure to extract and convert default certificates generated in your current version prior to upgrading.
About this task
If you are using default certificates, extract and convert them before you start the upgrade. Perform the following steps:
Procedure
- Set the HCL Workload Automation environment.
-
Browse to one of the following paths:
- version 9.5 and later
- TWA_DATA_DIR/usr/servers/engineServer/resources/security
- version 9.4 and earlier
- TWA_home/WAS/TWSProfile/etc
keytool -importkeystore -srckeystore TWSServerKeyFile.jks -destkeystore server.p12 -deststoretype pkcs12
openssl pkcs12 -in server.p12 -out tls.tot
- Open the tls.tot file with any text editor.
-
Copy the private key and public key into two separate files named respectively
tls.key and tls.crt.
where,
- tls.key
- is the private key
- tls.crt
- is the public key
- Copy the contents of the tls.crt file into a new file named ca.crt.
-
Create a file named tls.sth containing the passphrase you
have specified for creating the .p12 certificate in step
2,
encoded in base64 format. To create the
tls.sth file, use the following command:
secure -password your_password -base64 e -out tls.sth
If you are using a version earlier than 10.x, you can find the secure script in the installation package of the 10.2.1 version you are upgrading to. You can launch the script from on of the following paths:- master domain manager and agent
-
<10.2.1_extracted_image_dir>/TWS/<interp>/Tivoli_LWA_<interp>/TWS/bin
- Dynamic Workload Console
-
<10.2.1_extracted_image_dir>/DWC/<interp>/bin
- <interp>
- is the operating system you are installing on
-
Extract the client certificates from the TWA_DATA_DIR/ssl/GSKit folder by running the following
command:
gsk8capicmd_64 -cert -extract -db path_to_TWSClientKeyStore.kdb -stashed -label client -target client.crt
- Insert the client.crt in the additionalCAs folder when providing the certificates to the installation script with the sslkeysfolder parameter.