Customizing dynamic agent certificates

Procedure to use customized certificates for the dynamic agent

About this task

To customize dynamic agent certificates, perform the following steps:

Procedure

  1. On the master domain manager, generate a self-signed certificate or issue a certificate sign request to a CA. For example, you can generate the private key to be used for signing the custom certificate by issuing the following command: 
    openssl genrsa -des3 -out tls.key 2048
  2. Create the certificate sign request: 
    openssl req -new -key tls.key -out tls.csr -config
/usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
  3. Send the .csr to the CA: 
    openssl x509 -req -in tls.csr -days 3650
-CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
    Note: If you do not specify the -CAcreateserial parameter, the default certificate validity of 30 days applies.
  4. Run the AgentCertificateDownloader script on the dynamic agent. The script connects to the master domain manager, downloads the certificates in .PEM format (tls.key, tls.crt, ca.crt files), and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents and fault-tolerant agents - AgentCertificateDownloader script.
  5. On the master domain manager, import the CA certificate in the TWSServerTrustFile.jks: 
    keytool -importcert -file ca.crt -keystore TWSServerTrustFile.jks
-alias ca -trustcacerts
  6. On the master domain manager, extract the public key to a certificate file from the private key of the master domain manager keystore (TWSServerKeyFile.jks): 
    keytool -exportcert -alias server -file pkserver.cer 
-keystore TWSServerKeyFile.jks -storetype jks
  7. On the master domain manager, edit the TWA_DATA_DIR/broker/config/BrokerWorkstation.properties file and update the list of authorized Common Names for the dynamic domain manager (broker). Append the Common Name used for the custom certificate to the Broker.AuthorizedCNs property: 
    Broker.AuthorizedCNs=Server;ServerNew;new_CN
  8. On the dynamic agent, add the certificate extracted at step 6 into the keystore of the dynamic agent TWSClientKeyStore.kdb and into TWSClientKeyStoreJKS.jks: 
    gsk8capicmd_64 -cert -add -db TWSClientKeyStore.kdb 
-file pkserver.cer -label server -trust enable -stashed
  9. Add the same certificate to TWSClientKeyStoreJKS.jks: 
    keytool -importcert -file pkserver.cer -keystore TWSClientKeyStoreJKS.jks 
-alias server

Configuring custom certificates for the remote broker resource CLI

About this task

To customize dynamic agent certificates, perform the following steps:

Procedure

  1. On the dynamic agent, generate a self-signed certificate or import the certificate from a certificate authority into the agent keystore TWSClientKeyStore.kdb.
    • Import the certification authority keys also into TWSClientKeyStoreJKS.jks.
    • If you have generated a self-signed certificate in TWSClientKeyStore.kdb, export it and import it into TWSClientKeyStoreJKS.jks.
  2. On the dynamic agent, extract to a file the certificate generated at step 1 from the dynamic agent keystore.
  3. On the master domain manager, add the certificate extracted at step 2 into the truststore of the master domain manager (TWSServerTrustFileTrust.jks).