Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

RTC V7: how to change the certificate in liberty server?

Hello,


I installed RTC V7 with embedded liberty and derby database. Could you please help to see how I can change the self-signed localhost certificate to a CA-signed certificate (I have the identify and trust keystores ready for use)?

Thanks a lot
Frank

0 votes



One answer

Permanent link

 If you have a key store from which a signing request was made and sent to some CA, the new certificate receive into the key store, you can configure Liberty to use those key stores rather simply.


Find the keyStore definition in server.xml ( e.g. )
<keyStore id="defaultKeystore" location="key.p12" type="PKCS12" password="{xor}#NSO#ENHWEF">
Modify the location for the key store  if the location doesn't start with / or c:\ the location is relative to the Liberty server definition.  type denotes the key store type, the default is JKS.  To get the encoding for your key store password use the Liberty/bin/securityUtility

Actions:

    encode
        Encode the provided text.

    createSSLCertificate
        Create a default SSL certificate for use by the server or
        client configuration. 

    createLTPAKeys
        Create a set of LTPA keys for use by the server, or that can be shared
        with multiple servers. If no server or file is specified, a ltpa.keys
        file will be created in the current working directory.

    help
        Print help information for the specified action.

Options:
        Use help [actionName] for detailed option information of each action.

Example:  
lib/wlp18/bin/securityUtility encode framework

{xor}OS0+MjooMC00


Copy paste the whole bit from the securityUtility for password= value


The defaultTrustStore can be defined in a similar fashion.

You may need an ssl section to hook your certificates file to the http endpoints:


 <ssl keyStoreRef="defaultKeyStore" trustStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" id="sslRep" />



The clm server that gets created has only a few references to keyStore so it is probably enough to provide your own key store file / password here:

        <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>

        

        <keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>


0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Dec 11 '20, 10:15 a.m.

Question was seen: 2,350 times

Last updated: Dec 16 '20, 4:20 p.m.

Confirmation Cancel Confirm