Certificate rotation

Procedure to rotate certificates in your environment

About this task

The procedure explained below is one of several procedures you can perform to achieve the same results and is intended only as an example. In this procedure, it is assumed your certificates have been signed by a Certificate Authority (CA) you created for this purpose. For more information, see Creating a Certificate Authority and generating certificates. For more information about using an external CA or manually modifying all the keystores and key databases, see Replacing Default SSL Certificates with CA Signed Custom Certificates.

To customize the certificates for communication between master domain manager and dynamic agent, perform the following steps:

Procedure

  1. On the master domain manager, generate a self-signed certificate or issue a certificate sign request to a CA and import the certificate into TWSServerKeyFile.p12. For example, you can generate the private key to be used for signing the custom certificate by issuing the following command: 
    openssl genrsa -des3 -out tls.key <key_size>
    where <key_size> must be equal to or major than 2048.
  2. Create the certificate sign request: 
    openssl req -new -key tls.key -out tls.csr -config <TWS_DATA_DIR>/ssl/openssl.cnf
  3. Send the .csr to the CA: 
    openssl x509 -req -in tls.csr -days 3650
-CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
  4. After receiving back the signed certificate, you can import the custom certificate along with its private key into TWSServerKeyFile.p12, as follows:
    1. Create a single file containing both: 
      cat tls.key tls.crt > tls.tot
    2. Export the tls.tot file to a PKCS12 keystore for the master domain manager: 
      openssl pkcs12 -export -out TWSServerKeyFile.p12 -in tls.tot -name server
    3. Replace the existing TWSServerKeyFile.p12 file located in TWA_DATA_DIR/usr/servers/engineServer/resources/security with the file you created in step 4b.
    4. Export the tls.tot file created in step 1 to a PKCS12 keystore for the dynamic agent: 
      openssl pkcs12 -export -out TWSClientKeyStore.p12 -in tls.tot -name client
    5. Replace the existing TWSClientKeyStore.p12 file located in TWA_DATA_DIR/ssl/certs with the file you created in step 4d.
  5. On the master domain manager, import the CA certificate in the TWSServerTrustFile.p12: 
    keytool -importcert -file ca.crt -keystore TWSServerTrustFile.p12
-alias ca -trustcacerts
  6. Replace the existing TWSServerTrustFile.p12 located in TWA_DATA_DIR/usr/servers/engineServer/resources/security with the file you created in step 5.
  7. On the master domain manager, edit the TWA_DATA_DIR/broker/config/BrokerWorkstation.properties file and update the list of authorized Common Names for the dynamic domain manager (broker). Append the Common Name used for the custom certificate to the Broker.AuthorizedCNs property: 
    Broker.AuthorizedCNs=Server;ServerNew;new_CN
  8. Run the AgentCertificateDownloader script on the dynamic agent. The script connects to the master domain manager, downloads the certificates in .PEM format (tls.key, tls.crt, ca.crt files), and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents and fault-tolerant agents - AgentCertificateDownloader script.