Configuring remote Command Line Adapter 2 (CLA2) on Certified Container

On a Certified Container deployment, the CLA2 server jar can be extracted from the ASI node or pod and setup on a remote host server. To setup and launch a remote CLA2 server on an external host, you must perform certain additional steps on a Certified Container deployment.

Extract CLA2 server package jar

To extract the CLA2 server package jar from the ASI node or pod, perform the following steps:
  1. Generate the CLA2 remote package jar by executing the following commands:
    oc/kubectl get pods -n <namespace> # this will list the pods in the give namespace, make a note of the asi-0 pod
oc/kubectl exec <asi-pod-name> -- ./CLA2makeJar.sh #this will generate the CLA2 remote package jar
  2. Copy the CLA2 remote package jar from the pod using the following command:
    oc cp <asi-pod-name>:/ibm/b2bi/install/bin/CLA2RemotePackage.jar <local-dir>/CLA2RemotePackage.jar -n <namespace> -c asi

Copy CLA2RemotePackage.jar to the remote host and set it up. For more details, refer to Installing the Command Line Adapter 2 server remotely.

Setup authentication and SSL for remote CLA2 server

You must configure the CLA2 Adapter System Authentication Certificate and the CLA2 Server SSL Public CA Certificate for a secure connection between CLA2 Adapter and Server in Sterling B2B Integrator.

By default, the system generates the cla2auth and cla2ssl certificates. You need to create new certificates and not use the default ones to configure them on Certified Containers.

Configuring the CLA2 Adapter System Authentication Certificate

Follow these steps to configure the CLA2 Adapter System Authentication Certificate:
  1. Create a new self-signed certificate in Sterling B2B Integrator instead of the default cla2auth certificate.
    1. From Sterling B2B Integrator Administration menu, select Trading Partner > Digital Certificates > System > Create > Self-signed Certificate > Go!.
    2. Provide these values to create the new certificate:
      • Name = new_cla2auth_name
      • Organization = new_cla2auth_org
      • Duration (days)=735
      • Key Length=2048
      • Signing Algorithm=SHA256withRSA
    3. Click Next > Finish.
  2. Export the new certificate new_cla2auth_name.
    1. From Sterling B2B Integrator Administration menu, select Trading Partner > Digital Certificates > System > Search > new_cla2auth_name > Go!.
    2. Check out > Format=DER > Go!.
    3. Save the new certificate file as new_cla2auth_name.der.
  3. Import the new certificate new_cla2auth_name to CLA2 Server keystore.
    1. Transfer new_cla2auth_name.der to the CLA2 Server system.
    2. Use the keytool to import the certificate.
      
jdk/bin/keytool -import -v -file new_cla2auth_name.der -alias new_cla2auth_name -keystore client/cmdline2/
cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword

Configuring the CLA2 Server SSL Public CA Certificate

Follow the steps to configure the CLA2 Server SSL Public CA Certificate:
  1. Create a self-signed certificate in Sterling B2B Integrator instead of the default cla2ssl certificate and add it to the CLA2 Server keystore using the keytool.
    
jdk/bin/keytool -genkeypair -v -alias new_cla2ssl_name -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname 
"C=US, O=Sterling, CN=new_cla2ssl_name" -validity 735 -keypass CLA2ServerKeyStorePassword -keystore 
client/cmdline2/cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword
  2. Export the new certificate new_cla2ssl_name from CLA2 Server keystore using the keytool.
    
 jdk/bin/keytool -export -v -alias new_cla2ssl_name -keystore client/cmdline2/cla2_KeyStore.jks -storepass 
 CLA2ServerKeyStorePassword-file new_cla2ssl_name.cert
  3. Check in the new certificate new_cla2ssl_name as the new CA certificate in Sterling B2B Integrator.
    1. Transfer new_cla2ssl_name.cert to the Sterling B2B Integrator server.
    2. From Sterling B2B Integrator Administration menu, select Trading Partner > Digital Certificates > CA > check-in.
    3. Import from File > Filename > new_cla2ssl_name.cert (no Password).
    4. Click Next > Finish.
  4. Verify that only one keyEntry is listed in the CLA2 Server keystore.
    1. Use the keytool to list the contents of the CLA2 Server keystore.
      
jdk/bin/keytool -list -v -keystore client/cmdline2/cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword
    2. Identify the aliases of the Entry type: key Entry.
    3. Use the keytool to delete all but the new new_cla2ssl_name from the CLA2 Server keystore.
      
For example: To delete an old keyEntry with the alias cla2ssl:
jdk/bin/keytool -delete -v -keystore client/cmdline2/cla2_KeyStore.jks -storepass 
CLA2ServerKeyStorePassword -alias cla2ssl

Reconfiguring Sterling B2B Integrator services to use the newly created CLA2 Adapter System Authentication Certificate and the CLA2 Server SSL Public CA Certificate

Follow the steps below to reconfigure Sterling B2B Integrator services to use the newly created CLA2 Adapter System Authentication Certificate and the CLA2 Server SSL Public CA Certificates:
  1. From the Sterling B2B Integrator dashboard, select Deployment > Configuration > List > Search by Service Type > Command Line Adapter 2 > Go! > Edit.
  2. Provide these values:
    • Properties: System Authentication Certificate: new_cla2auth_name
    • SSL options: SSL Public CA Certificate: new_cla2ssl_name
  3. Click Confirm > Finish.

Updating CLA2 Server configuration

Follow the steps below to update CLA2 Sever configuration:
  1. Verify the following parameters in <isbi-install>properties/CmdLine2server.properties.
    • keystoreLocation=<isbi-install-path>/client/cmdline2/cla2_KeyStore.jks
    • keystorePassword=CRYPTED:EI++...=
    • publicCertAlias=new_cla2auth_name
    • signatureAlgorithm=SHA256withRSA
    • SSLCertificateName=new_cla2ssl_name
  2. Restart the CLA2 Server.
    • call <isbi-install-path>/bin/stopCmdLine2.sh
    • call <isbi-install-path>/bin/startCmdLine2.sh
    • verify logs/cla2server.log

CLA2 adapter configurations

Set the following configurations while configuring the CLA2 adapter to connect to a remote CLA2 server:
  1. Set the Remote Name to the remote host IP or name.
  2. Set the Remote Port to the configured remote port.
  3. Set the working directory to the location where all the relevant scripts and files to be executed by the CLA2 adapter are copied over on the external remote host, which can be on any Windows or Unix/Linux OS.