Exchanging keystores between servers

To share applications with secured properties among several IBM® UrbanCode Deploy servers, exchange keys from each server's encryption.keystore.

About this task

To share applications with secured properties, export the server's key then import it into each target server. This process enables applications from the exporting server to be used by the importing servers. Repeat the exporting process for each server with applications you want to share.

Procedure

  1. Open a shell and navigate to the conf directory for one of the servers, which is referred to as Server A for clarity.
  2. Because the name used for the imported key must match the name of the exported key, run the following command to list the alias for the Server A key:
    keytool -list -keystore -storetype
    For example:
    keytool -v -list -keystore /opt/udeploy/server/conf/encryption.keystore -storetype jceks
    -keystore must resolve to Server A's encryption.keystore. -storetype must be jceks.
  3. Export the file by running the following command:
    keytool -importkeystore -deststorepass -destkeystore -deststoretype 
    jceks -srckeystore -srcstoretype jceks -srcstorepass -alias
    For example:
    keytool -importkeystore -deststorepass changeit -destkeystore  dev-instance.keystore -deststoretype
            jceks -srckeystore  /opt/udeploy/server/conf/encryption.keystore -srcstoretype
            jceks -srcstorepass changeit -alias desedekeyj48p
    -alias must correspond to the alias returned by the keytool -list command.
  4. Move the exported.keystore to Server B's /conf directory.
  5. Import the file into the Server B keystore by running the following command:
    keytool -importkeystore -deststorepass -destkeystore -deststoretype 
    jceks -srckeystore  -srcstoretype jceks -srcstorepass -destalias -srcalias
    For example:
    keytool -importkeystore -deststorepass changeit -destkeystore
            /opt/udeploy/server/conf/encryption.keystore  -deststoretype jceks -srckeystore
            import/dev-instance.keystore  -srcstoretype jceks -srcstorepass changeit -destalias
            desedekeyj48p -srcalias desedekeyj48p
    Both -destalias and -destalias must correspond to the alias returned by the keytool -list command.
  6. Optional. If you intend to import Server B's applications into Server A, repeat the process in reverse, using Server B's alias in this instance.

Feedback