To use mutual authentication, servers and agents must exchange keys. You export a server
key (as a certificate) and import it into the agent keystore, then reverse the process by exporting
the agent key and importing it into the server keystore. Additionally, if you want to export an
application from one server to another, keys can be exported/imported from on server to
another.
Before you begin
Before you exchange keys, ensure that the following properties
are set:
- The server.jms.mutualAuth property in the
server's installed.properties file (in the server_install/conf/server directory)
is set to true.
- For each agent, the locked/agent.mutual_auth property
in the agent's installed.properties file (in
the agent_install\conf\agent directory) is set
to true.
- For each agent relay, the agentrelay.jms_proxy.secure property
in the relay's agentrelay.properties file (in
the relay_install\conf directory) is set to true.
- For each agent relay, the agentrelay.jms_proxy.mutualAuth property
in the relay's agentrelay.properties file is
set to true.
Procedure
- Open a shell and go to the server installation conf directory.
- Run the following command:
keytool -export -keystore server.keystore -storepass changeit
-alias server -file server.crt
- Copy the exported file (certificate) to the agent, agent relay installation
conf directory.
- Import the file by running from within the agent's conf directory (or
agent relay's jms-relay directory):
keytool -import -keystore ud.keystore -storepass changeit
-alias server -file server.crt -keypass changeit -noprompt
You should see the Certificate was added to keystore message.Note: For agent relays, replace ud.keystore with the name of the relay's keystore:
agentrelay.keystore.
- For each local agent or agent relay, export the key by
running the following (change the name of the file argument to match
the agent name):
keytool -export -keystore ud.keystore -storepass changeit
-alias ud_agent -file [agent_name].crt
You should see the Certificate stored in file (agent_name.crt)
message.Note: For agent relays, replace ud.keystore with the name of the relay's
keystore: agentrelay.keystore.
- Copy the exported file to the server's conf directory.
- From within the server's conf directory,
import each certificate by running the following command (change the
name of the file argument and alias to match the certificate's name):
keytool -import -keystore ud.keystore -storepass changeit
-alias [agent_name] -file [agent_name].crt -keypass changeit -noprompt
You should see the Certificate was added to keystore message.
- Restart the server and agents/agent relays.
What to do next
To connect an agent relay with the remote agents, swap
certificates as explained above: each remote agent must import the
certificate for the relay, and the relay must import the certificate
from each remote agent. Agents that use relays do not have to swap
certificates with the server.
To list the certificates that
are loaded into a keystore, run the following from within the keystore
directory:
keytool -list -keystore ud.keystore -storepass changeit
For information about exchanging keys among servers, see Exchanging keystores between servers.