Configuring the server authentication on Collector Server

Edit online

Fix Pack 1

Create a keystore and a certificate for Collector Server. Use the Java™ Keytool or the IBM® Key Management Utility (IKEYMAN) to create the keystore, the private key, and the public key and to associate the public key with a certificate.

About this task

The Java Keytool and IKEYMAN are both delivered with Content Collector for SAP as part of the IBM JRE and have the following fully qualified file names:
  • The Java Keytool:
    • LinuxUNIX InstallHome/java/jre/bin/keytool
    • Windows InstallHome\java\jre\bin\keytool.exe
  • IKEYMAN:
    • LinuxUNIX InstallHome/java/jre/bin/ikeyman
    • Windows InstallHome\java\jre\bin\ikeyman.exe

To use IKEYMAN, start the ikeyman program. To use the Java Keytool, take these steps:

Procedure

  1. Change to the daemon directory and then open a command line.
    For example, change to the following directory:
    /home/iccsapadmin/daemon
  2. Enter the following command on one line: 
    keytool -genkeypair
 -keyalg key_algorithm
 -keysize keysize
 -sigalg signature_algorithm
 -alias name
 -validity number_of_days
 -keystore keystore_file
    key_algorithm
    Specify the algorithm that is to be used to generate the key pair. Specify RSA.
    keysize
    Specify the size of the keys that are to be generated.
    signature_algorithm
    Specify the algorithm that is to be used to sign the certificate. Specify SHA256withRSA or SHA512WithRSA.
    name
    Specify a name of your choice for the certificate chain and the private key that are created with this command. The name must be unique in the keystore.
    number_of_days
    Specify for how many days the certificate is to be valid.
    keystore_file
    Specify the fully qualified file name for the keystore. The keystore must be stored in the daemon path.
    Example:
    keytool -genkeypair
 -keyalg RSA
 -keysize 2048
 -sigalg SHA256withRSA
 -alias iccsap1
 -validity 365
 -keystore /home/iccsapadmin/daemon/keystore.jks
    Important: Ensure that your web application server can handle the level of cryptography that you specify for the keys, such as the keysize parameter. To be on the safe side, install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files on your web application server.
  3. Enter a password when you are prompted by this message: 
    Enter keystore password:
    For example, enter:
    icc4sap
  4. Enter an answer for each prompt for your organization information.
    For example: 
    What is your first and last name? [Unknown]:
server_name

What is the name of your organizational unit? [Unknown]:
Myunit

What is the name of your organization? [Unknown]:
Myorg

What is the name of your City or Locality? [Unknown]:
Mycity

What is the name of your State or Province? [Unknown]:
Mystate

What is the two-letter country-code for this unit? [Unknown]:
US

Is <CN=myserver.com, OU=Myunit, O=Myorg , L=Mycity , ST=Unknown, C=US> correct? [no]:
yes

Enter key password for server_name (Press Enter if you want to use
the same password as for the keystore)
    For server_name, specify the fully qualified host name or the IP address of the system where Collector Server is installed.

Results

A self-signed server certificate is created.

What to do next

Configuring the client authentication