[8.5.5.4 or later]
This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Generating collective controller SSL keys

You can use the collective utility genKey command to generate a keystore in Java™ keystore (JKS) format. The keystore contains a personal certificate that enables Secure Sockets Layer (SSL) communication with the collective controller.

Before you begin

Create a collective controller. See Configuring a Liberty collective.

[Updated in February 2016]If you want to enable a collective controller and its members to use the security TLSv1.2 protocol for the Secure Sockets Layer (SSL) context, see Setting up Liberty to run in SP800-131a. The server.xml files of the controller and members need ssl id elements and each host computer needs a server.env file with the JVM_ARGS=-Dhttps.protocols=TLSv1.2 statement in its ${wlp.install.dir}/etc directory.[Updated in February 2016]

About this task

Remote JMX connections to a collective controller use SSL and require suitable SSL keys. The collective utility genKey command generates a keystore that contains a personal certificate which the collective controller trusts. The generated keystore also includes a public signer certificate so it can function as a trust store.

For a Java virtual machine (JVM), such as a collective member server or a non-Liberty server, to connect to a collective controller, the JVM must have a keystore that contains a key which the collective controller trusts. The genKey command generates this keystore. After the JVM has the keystore, the JVM can connect to the collective controller and the collective controller can return its key. This return of the collective controller key to the JVM is called the SSL handshake.

[Updated in March 2016]For the JVM to add the collective controller key to the JVM truststore, the --autoAcceptCertificates option must be used. If the --autoAcceptCertificates option is not used, the user is prompted to add the key to the truststore.[Updated in March 2016]

Procedure

Run the collective genKey command to generate a JKS keystore.
wlp/bin/collective genKey [--host=collectiveControllerHost --port=collectiveControllerHTTPSPort --user=collectiveControllerAdminUserID --password=collectiveControllerAdminUserPassword --keystorePassword=generatedKeystorePassword --autoAcceptCertificates]

For example, for a collective controller on host machineA that uses port 1090 and has a collective controller administrative user Admin1 with password Admin1pwd, run the following command to generate a keystore and set its password to kspwd:

collective genKey --host=machineA --port=1090 --user=Admin1 --password=Admin1pwd --keystorePassword=kspwd --autoAcceptCertificates

This example includes the required settings for the genKey command:

--host=collectiveControllerHost
The host name of the target collective controller
--password=collectiveControllerAdminUserPassword
The password of the administrative user for the target collective controller. If no password is defined, you are prompted for the password of the administrative user specified by the --user setting.
--port=collectiveControllerHTTPSPort
The HTTPS port number of the target collective controller
--user=collectiveControllerAdminUserID
An administrative user of the target collective controller
--keystorePassword=generatedKeystorePassword
The password for the generated keystore. If you specify a password and no value is defined, you are prompted for a password.

The genKey command also has optional settings:

[Updated in March 2016]--autoAcceptCertificates[Updated in March 2016]
[Updated in March 2016]Automatically trust SSL certificates during this command.[Updated in March 2016]
--certificateSubject=DN
The distinguished name (DN) of the generated SSL certificate. The default DN is:
CN=localhost,OU=client,O=ibm,C=usCN=localhost,OU=client,O=ibm,C=usCN=localhost,OU=client,O=ibm,C=usCN=localhost,OU=client,O=ibm,C=us
--certificateValidity=numberOfDays
The number of days the generated SSL certificate is valid. The default validity period is 1825 days, or 5 years. The minimum validity period is 365 days.
--keystoreFile=filePath
The file to which the keystore is written. The default is the key.jks file in the current directory.
--key=key
A key to use for aes encoding. The product hashes the specified key string to produce an encryption key to use to encrypt and decrypt the password. To provide the key to the server, define a variable wlp.password.encryption.key whose value is the key. If you do not specify this option, the product supplies a default key.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=tagt_wlp_generate_ssl_keys
File name: tagt_wlp_generate_ssl_keys.html