Configuring mutual authentication

To use mutual authentication, servers and agents must exchange keys. You export a server key as a certificate and import it into the agent keystore, and then reverse the process by exporting the agent key and importing it into the server keystore.

Before you exchange keys, ensure that the following properties are set:
  1. The server.jms.mutualAuth property in the server's installed.properties file (in the server_install/conf/server directory) is set to true.
  2. For each agent, the locked/agent.mutual_auth property in the agent's installed.properties file (in the agent_install\conf\agent directory) is set to true.
  1. Open a command-line window and go to the server installation conf directory.
  2. Run the following command:
    keytool -export -keystore server.keystore -storepass changeit 
-alias server -file server.crt
    The keytool application is included in the Java developer kit and is not part of IBM® UrbanCode™ Build.
  3. Copy the exported file (certificate) to the agent installation conf directory.
  4. Import the file by running the following command from within the agent's conf directory: 
    keytool -import -keystore keystoreFile -storepass changeit 
-alias server -file server.crt -keypass changeit -noprompt
    You should see the Certificate was added to keystore message.
  5. For each local agent, export the key by running the following (change the name of the file argument to match the agent name): 
    keytool -export -keystore keystoreFile -storepass changeit 
-alias ibm-ucb_agent -file agentName.crt
    For agentName, specify a unique string identifier for the agent.
    You should see the message Certificate stored in file agentName.crt.
  6. Copy the exported file to the server's conf directory.
  7. From within the server's conf directory, import each certificate by running the following command: 
    keytool -import -keystore server.keystore -storepass changeit 
-alias [agent_name] -file agentName.crt -keypass changeit -noprompt
    The Certificate was added to keystore message is displayed.
  8. Restart the server and agents.

To list the certificates that are loaded into a keystore, run the following command from within the keystore directory:

keytool -list -keystore keystoreFile -storepass changeit

For information about exchanging keys among servers, see Sharing secured properties among servers.