Configuring remote Command Line Adapter 2 (CLA2) on Certified Container
On a Certified Container deployment, the CLA2 server jar can be extracted from the ASI node or pod and setup on a remote host server. To setup and launch a remote CLA2 server on an external host, you must perform certain additional steps on a Certified Container deployment.
Extract CLA2 server package jar
- Generate the CLA2 remote package jar by executing the following
commands:
oc/kubectl get pods -n <namespace> # this will list the pods in the give namespace, make a note of the asi-0 pod oc/kubectl exec <asi-pod-name> -- ./CLA2makeJar.sh #this will generate the CLA2 remote package jar
- Copy the CLA2 remote package jar from the pod using the following
command:
oc cp <asi-pod-name>:/ibm/b2bi/install/bin/CLA2RemotePackage.jar <local-dir>/CLA2RemotePackage.jar -n <namespace> -c asi
Copy CLA2RemotePackage.jar to the remote host and set it up. For more details, refer to Installing the Command Line Adapter 2 server remotely.
Setup authentication and SSL for remote CLA2 server
You must configure the CLA2 Adapter System Authentication Certificate and the CLA2 Server SSL Public CA Certificate for a secure connection between CLA2 Adapter and Server in Sterling B2B Integrator.
By default, the system generates the cla2auth and cla2ssl certificates. You need to create new certificates and not use the default ones to configure them on Certified Containers.
Configuring the CLA2 Adapter System Authentication Certificate
- Create a new self-signed certificate in Sterling B2B Integrator instead of the
default
cla2auth
certificate.- From Sterling B2B Integrator Administration menu, select Trading Partner > Digital Certificates > System > Create > Self-signed Certificate > Go!.
- Provide these values to create the new certificate:
- Name = new_cla2auth_name
- Organization = new_cla2auth_org
- Duration (days)=735
- Key Length=2048
- Signing Algorithm=SHA256withRSA
- Click Next > Finish.
- Export the new certificate
new_cla2auth_name
.- From Sterling B2B Integrator Administration menu, select Trading Partner > Digital Certificates > System > Search > new_cla2auth_name > Go!.
- Check out > Format=DER > Go!.
- Save the new certificate file as
new_cla2auth_name.der
.
- Import the new certificate
new_cla2auth_name
to CLA2 Server keystore.- Transfer
new_cla2auth_name.der
to the CLA2 Server system. - Use the keytool to import the certificate.
jdk/bin/keytool -import -v -file new_cla2auth_name.der -alias new_cla2auth_name -keystore client/cmdline2/ cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword
- Transfer
Configuring the CLA2 Server SSL Public CA Certificate
- Create a self-signed certificate in Sterling B2B Integrator instead of the default
cla2ssl
certificate and add it to the CLA2 Server keystore using the keytool.jdk/bin/keytool -genkeypair -v -alias new_cla2ssl_name -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "C=US, O=Sterling, CN=new_cla2ssl_name" -validity 735 -keypass CLA2ServerKeyStorePassword -keystore client/cmdline2/cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword
- Export the new certificate
new_cla2ssl_name
from CLA2 Server keystore using the keytool.jdk/bin/keytool -export -v -alias new_cla2ssl_name -keystore client/cmdline2/cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword-file new_cla2ssl_name.cert
- Check in the new certificate
new_cla2ssl_name
as the new CA certificate in Sterling B2B Integrator.- Transfer
new_cla2ssl_name.cert
to the Sterling B2B Integrator server. - From Sterling B2B Integrator Administration menu, select Trading Partner > Digital Certificates > CA > check-in.
- Import from File > Filename > new_cla2ssl_name.cert (no Password).
- Click Next > Finish.
- Transfer
- Verify that only one
keyEntry
is listed in the CLA2 Server keystore.- Use the keytool to list the contents of the CLA2 Server
keystore.
jdk/bin/keytool -list -v -keystore client/cmdline2/cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword
- Identify the aliases of the Entry type:
key Entry
. - Use the keytool to delete all but the new
new_cla2ssl_name
from the CLA2 Server keystore.For example: To delete an old keyEntry with the alias cla2ssl: jdk/bin/keytool -delete -v -keystore client/cmdline2/cla2_KeyStore.jks -storepass CLA2ServerKeyStorePassword -alias cla2ssl
- Use the keytool to list the contents of the CLA2 Server
keystore.
Reconfiguring Sterling B2B Integrator services to use the newly created CLA2 Adapter System Authentication Certificate and the CLA2 Server SSL Public CA Certificate
- From the Sterling B2B Integrator dashboard, select Deployment > Configuration > List > Search by Service Type > Command Line Adapter 2 > Go! > Edit.
- Provide these values:
- Properties: System Authentication Certificate:
new_cla2auth_name
- SSL options: SSL Public CA Certificate:
new_cla2ssl_name
- Properties: System Authentication Certificate:
- Click Confirm > Finish.
Updating CLA2 Server configuration
- Verify the following parameters in
<isbi-install>properties/CmdLine2server.properties
.keystoreLocation=<isbi-install-path>/client/cmdline2/cla2_KeyStore.jks
keystorePassword=CRYPTED:EI++...=
publicCertAlias=new_cla2auth_name
signatureAlgorithm=SHA256withRSA
SSLCertificateName=new_cla2ssl_name
- Restart the CLA2 Server.
call <isbi-install-path>/bin/stopCmdLine2.sh
call <isbi-install-path>/bin/startCmdLine2.sh
verify logs/cla2server.log
CLA2 adapter configurations
- Set the Remote Name to the remote host IP or name.
- Set the Remote Port to the configured remote port.
- Set the working directory to the location where all the relevant scripts and files to be executed by the CLA2 adapter are copied over on the external remote host, which can be on any Windows or Unix/Linux OS.