Customizing dynamic agent certificates
Procedure to use customized certificates for the dynamic agent
About this task
To customize dynamic agent certificates, perform the following steps:
Procedure
-
On the master domain manager,
generate a self-signed certificate or issue a certificate sign request to a CA.
For example, you can generate the private key to be used for signing the custom
certificate by issuing the following command:
openssl genrsa -des3 -out tls.key 2048
-
Create the certificate sign request:
openssl req -new -key tls.key -out tls.csr -config /usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
-
Send the .csr to the CA:
openssl x509 -req -in tls.csr -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
- Run the AgentCertificateDownloader script on the dynamic agent. The script connects to the master domain manager, downloads the certificates in .PEM format (tls.key, tls.crt, ca.crt files), and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents - AgentCertificateDownloader script.
-
On the master domain manager,
import the CA certificate in the path
<TWSDATA>/ssl/TWSClientKeyStoreJKS.jks :
keytool -importcert -file ca.crt -keystore TWSClientKeyStoreJKS.jks -alias ca -trustcacerts
-
On the master domain manager,
extract the public key to a certificate file from the private key of the
master domain manager keystore
(TWSServerKeyFile.jks):
keytool -exportcert -alias server -file pkserver.cer -keystore TWSServerKeyFile.jks -storetype jks
-
On the master domain manager,
edit the TWA_DATA_DIR/broker/config/BrokerWorkstation.properties file and
update the list of authorized Common Names for the dynamic domain manager (broker). Append
the Common Name used for the custom certificate to the
Broker.AuthorizedCNs
property:Broker.AuthorizedCNs=Server;ServerNew;new_CN
-
On the dynamic agent,
add the certificate extracted at step 6 into the keystore of the dynamic agent
TWSClientKeyStore.kdb and into
TWSClientKeyStoreJKS.jks:
gsk8capicmd_64 -cert -add -db TWSClientKeyStore.kdb -file pkserver.cer -label server -trust enable -stashed
-
Add the same certificate to
TWSClientKeyStoreJKS.jks:
keytool -importcert -file pkserver.cer -keystore TWSClientKeyStoreJKS.jks -alias server
Configuring custom certificates for the remote broker resource CLI
About this task
To use custom certificates on agents, perform the following steps:
Procedure
In TWA_DATA_DIR/TDWB_CLI/config/CLIConfig.properties and TWA_DATA_DIR/broker/config/CLIConfig.properties, customize
the following properties with the directory where your custom
.JKS files are stored and the associated
passwords:
- KeyStore and trustStore files:
- keyStore=<TWA_DATA_DIR>/ITA/cpa/ita/cert/<JKS_ClientKeyStoreFile>
- trustStore=<TWA_DATA_DIR>/ITA/cpa/ita/cert/<JKS_ClientTrustStoreFile>
- KeyStore and trustStore passwords:
- keyStorepwd=<customPassword>
- trustStorepwd=<customPassword>