It's all about the answers!

Ask a question

RTC V7: how to change the certificate in liberty server?


Frank Ning (50024113131) | asked Dec 11 '20, 10:15 a.m.

Hello,


I installed RTC V7 with embedded liberty and derby database. Could you please help to see how I can change the self-signed localhost certificate to a CA-signed certificate (I have the identify and trust keystores ready for use)?

Thanks a lot
Frank

One answer



permanent link
Kevin Ramer (4.5k6167186) | answered Dec 16 '20, 4:20 p.m.

 If you have a key store from which a signing request was made and sent to some CA, the new certificate receive into the key store, you can configure Liberty to use those key stores rather simply.


Find the keyStore definition in server.xml ( e.g. )
<keyStore id="defaultKeystore" location="key.p12" type="PKCS12" password="{xor}#NSO#ENHWEF">
Modify the location for the key store  if the location doesn't start with / or c:\ the location is relative to the Liberty server definition.  type denotes the key store type, the default is JKS.  To get the encoding for your key store password use the Liberty/bin/securityUtility

Actions:

    encode
        Encode the provided text.

    createSSLCertificate
        Create a default SSL certificate for use by the server or
        client configuration. 

    createLTPAKeys
        Create a set of LTPA keys for use by the server, or that can be shared
        with multiple servers. If no server or file is specified, a ltpa.keys
        file will be created in the current working directory.

    help
        Print help information for the specified action.

Options:
        Use help [actionName] for detailed option information of each action.

Example:  
lib/wlp18/bin/securityUtility encode framework

{xor}OS0+MjooMC00


Copy paste the whole bit from the securityUtility for password= value


The defaultTrustStore can be defined in a similar fashion.

You may need an ssl section to hook your certificates file to the http endpoints:


 <ssl keyStoreRef="defaultKeyStore" trustStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" id="sslRep" />



The clm server that gets created has only a few references to keyStore so it is probably enough to provide your own key store file / password here:

        <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>

        

        <keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>


Your answer


Register or to post your answer.