Exchanging keystores between servers

To share applications with secured properties or configure mutual authentication among IBM® UrbanCode Deploy servers and agents, exchange keys from each server or agent's encryption keystore.

Before you begin

Make sure that the location of the Java™ keytool command is on the PATH variable of the servers.

About this task

To share applications with secured properties, export the server's key and import it into each target server. This process enables applications from the exporting server to be used by the other servers. Repeat the process for each server with applications that you want to share.

Procedure

  1. On the first server, open a command-line window and go to the server installation conf directory.
  2. Find the value of the encryption.keystore.alias property in the install/conf/server/installed.properties file. For example, the following code shows a value of abcdkey1234:
    encryption.keystore=../conf/encryption.keystore
    encryption.keystore.alias=abcdkey1234
    You will need this alias in the next steps.
  3. Run the following command to import the server key into a temporary keystore. You must enter this command on a single line.
    keytool -importkeystore -srckeystore encryption.keystore 
      -srcstorepass srcPassword 
      -srcstoretype jceks 
      -alias alias 
      -destkeystore temp.keystore 
      -deststorepass tempPassword 
      -deststoretype jceks
    • For srcPassword, specify the password for the server keystore. The default password is changeit.
    • For alias, specify the value of the encryption.keystore.alias property.
    • For tempPassword, specify a password for the temporary keystore. You will need this password later.
  4. Copy the temporary keystore, which is named temp.keystore in the previous example, to the install/conf/ folder on the second server.
  5. On the second server, open a command-line window and go to the server installation conf directory.
  6. Run the following command to import the key in the temporary keystore into the server keystore. You must enter this command on a single line.
    keytool -importkeystore -srckeystore temp.keystore 
      -srcstorepass tempPassword 
      -srcstoretype jceks 
      -alias alias 
      -destkeystore encryption.keystore 
      -deststorepass destPassword 
      -deststoretype jceks
    • For tempPassword, specify the password for the temporary keystore.
    • For alias, specify the encryption.keystore.alias property of the first server, not the current server.
    • For destPassword, specify the password for the current server keystore.
  7. Optional: Delete the temporary keystore file from each server.

Results

The encryption key from the first server keystore is now on the second server keystore. As a result, the second server can now decrypt applications from the first server.
You can verify that the second server keystore has the key by running the following command on the second server:
keytool -list -keystore encryption.keystore 
  -storepass password 
  -storetype jceks
For password, use the password of the server keystore.
This command lists the keys in the server keystore. If you copied the keys successfully, the list includes at least two keys: one from each of the servers. These keys are listed according to the encryption.keystore.alias properties of the respective servers. For example, the following output shows two keys:
Keystore type: jceks
Keystore provider: IBMJCE

Your keystore contains 2 entries

efghkey5678, Oct 15, 2013, SecretKeyEntry,
abcdkey1234, Nov 22, 2013, SecretKeyEntry,

What to do next

Repeat this process to copy keys between other servers.

Feedback