Customizing master domain manager certificates
Procedure to use custom certificates for the master domain manager
About this task
To customize the master domain manager certificates, perform the following steps:
Procedure
-
On the master domain manager,
generate a self-signed certificate or issue a certificate sign request to a CA
and import the certificate into TWSServerKeyFile.jks. For
example, you can generate the private key to be used for signing the custom
certificate by issuing the following command:
openssl genrsa -des3 -out tls.key 2048
-
Create the certificate sign request:
openssl req -new -key tls.key -out tls.csr -config /usr/Tivoli/TWS/OpenSSL64/1.0.0/bin/openssl.cnf
-
After receiving back the signed certificate, you can import the custom
certificate along with its private key into
TWSServerKeyFile.jks, as follows:
- Create a single file containing both:
cat tls.key tls.crt > tls.tot
- Export the resulting file to a PKCS12 keystore:
openssl pkcs12 -export -out TWSServerKeyFile.p12 -in tls.tot -name server
- Import the PKCS12 keystore into
TWSServerKeyFile.jks:
keytool -importkeystore -srckeystore TWSServerKeyFile.p12 -srcstoretype pkcs12 -destkeystore TWSServerKeyFile.jks -deststoretype jks -srcstorepass password -deststorepass password -srcalias server -destalias server
- Create a single file containing both:
-
On the master domain manager,
import the CA certificate in the path
<TWSDATA>/ssl/TWSClientKeyStoreJKS.jks :
keytool -importcert -file ca.crt -keystore TWSClientKeyStoreJKS.jks -alias ca -trustcacerts
-
On the Dynamic Workload Console,
import the CA certificate into the
TWSServerTrustFile.jks:
keytool -importcert -file ca.crt -keystore TWSServerTrustFile.jks -alias ca -trustcacerts