Customizing dynamic agent certificates

Procedure to use customized certificates for the dynamic agent

About this task

To customize dynamic agent certificates, perform the following steps:

Procedure

  1. On the master domain manager, generate a self-signed certificate or issue a certificate sign request to a CA. For example, you can generate the private key to be used for signing the custom certificate by issuing the following command: 
    openssl genrsa -des3 -out tls.key 2048
  2. Create the certificate sign request: 
    openssl req -new -key tls.key -out tls.csr -config 
/usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
  3. Send the .csr to the CA: 
    openssl x509 -req -in tls.csr -days 3650 
-CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
  4. Run the AgentCertificateDownloader script on the dynamic agent. The script connects to the master domain manager, downloads the certificates in .PEM format (tls.key, tls.crt, ca.crt files), and deploys them to the agent. The certificates must be available on the master domain manager in a specific path. For more information, see Certificates download to dynamic agents - AgentCertificateDownloader script.
  5. On the master domain manager, import the CA certificate in the path <TWSDATA>/ssl/TWSClientKeyStoreJKS.jks : 
    keytool -importcert -file ca.crt -keystore TWSClientKeyStoreJKS.jks 
-alias ca -trustcacerts
  6. On the master domain manager, extract the public key to a certificate file from the private key of the master domain manager keystore (TWSServerKeyFile.jks): 
    keytool -exportcert -alias server -file pkserver.cer 
-keystore TWSServerKeyFile.jks -storetype jks
  7. On the master domain manager, edit the TWA_DATA_DIR/broker/config/BrokerWorkstation.properties file and update the list of authorized Common Names for the dynamic domain manager (broker). Append the Common Name used for the custom certificate to the Broker.AuthorizedCNs property: 
    Broker.AuthorizedCNs=Server;ServerNew;new_CN
  8. On the dynamic agent, add the certificate extracted at step 6 into the keystore of the dynamic agent TWSClientKeyStore.kdb and into TWSClientKeyStoreJKS.jks: 
    gsk8capicmd_64 -cert -add -db TWSClientKeyStore.kdb 
-file pkserver.cer -label server -trust enable -stashed
  9. Add the same certificate to TWSClientKeyStoreJKS.jks: 
    keytool -importcert -file pkserver.cer -keystore TWSClientKeyStoreJKS.jks 
-alias server

Configuring custom certificates for the remote broker resource CLI

About this task

To use custom certificates on agents, perform the following steps:

Procedure

In TWA_DATA_DIR/TDWB_CLI/config/CLIConfig.properties and TWA_DATA_DIR/broker/config/CLIConfig.properties, customize the following properties with the directory where your custom .JKS files are stored and the associated passwords:
  • KeyStore and trustStore files:
    • keyStore=<TWA_DATA_DIR>/ITA/cpa/ita/cert/<JKS_ClientKeyStoreFile>
    • trustStore=<TWA_DATA_DIR>/ITA/cpa/ita/cert/<JKS_ClientTrustStoreFile>
  • KeyStore and trustStore passwords:
    • keyStorepwd=<customPassword>
    • trustStorepwd=<customPassword>