To share applications with secured properties or configure
mutual authentication among IBM® UrbanCode Deploy servers
and agents, exchange keys from each server or agent's encryption keystore.
Before you begin
Make sure that the location of the Java™
keytool command is on
the
PATH variable of the servers.
About this task
To share applications with secured properties, export the
server's key and import it into each target server. This process enables
applications from the exporting server to be used by the other servers.
Repeat the process for each server with applications that you want
to share.
Procedure
- On the first server, open a command-line window and go
to the server installation conf directory.
- Find the value of the encryption.keystore.alias property
in the install/conf/server/installed.properties file. For example, the following code shows
a value of abcdkey1234:
encryption.keystore=../conf/encryption.keystore
encryption.keystore.alias=abcdkey1234
You will need this alias in the next steps.
- Run the following command
to import the server key into a temporary keystore. You must enter this command on a single
line.
keytool -importkeystore -srckeystore encryption.keystore
-srcstorepass srcPassword
-srcstoretype jceks
-alias alias
-destkeystore temp.keystore
-deststorepass tempPassword
-deststoretype jceks
- For srcPassword, specify the password for the
server keystore. The default password is changeit.
- For alias, specify the value of the encryption.keystore.alias property.
- For tempPassword, specify a password for the
temporary keystore. You will need this password later.
- Copy the temporary keystore, which is named temp.keystore in
the previous example, to the install/conf/ folder
on the second server.
- On the second server, open a command-line window and go
to the server installation conf directory.
- Run the following command to import the key in the temporary
keystore into the server keystore. You must enter this
command on a single line.
keytool -importkeystore -srckeystore temp.keystore
-srcstorepass tempPassword
-srcstoretype jceks
-alias alias
-destkeystore encryption.keystore
-deststorepass destPassword
-deststoretype jceks
- For tempPassword, specify the password for
the temporary keystore.
- For alias, specify the encryption.keystore.alias property
of the first server, not the current server.
- For destPassword, specify the password for
the current server keystore.
- Optional: Delete the temporary keystore file
from each server.
Results
The encryption key from the first server keystore is now on
the second server keystore. As a result, the second server can now
decrypt applications from the first server.
You can verify that
the second server keystore has the key by running the following command
on the second server:
keytool -list -keystore encryption.keystore
-storepass password
-storetype jceks
For
password, use
the password of the server keystore.
This command lists the
keys in the server keystore. If you copied the keys successfully,
the list includes at least two keys: one from each of the servers.
These keys are listed according to the
encryption.keystore.alias properties
of the respective servers. For example, the following output shows
two keys:
Keystore type: jceks
Keystore provider: IBMJCE
Your keystore contains 2 entries
efghkey5678, Oct 15, 2013, SecretKeyEntry,
abcdkey1234, Nov 22, 2013, SecretKeyEntry,
What to do next
Repeat this process to copy keys between other servers.