Upgrade Impacts - CLA2 Certificates and Key Management
There are several upgrade impacts to certificate and key management:
- The authentication option in CLA2 requires a private key to be checked into the system certificate UI. The private key is referenced when you configure the adapter. The public key must be made available to the CLA2 server through a JKS file.
- The SSL option in CLA2 requires a CA certificate to be checked into the CA certificates UI. The CA is referenced when you configure the adapter. The private key must be made available to the CLA2 server through a JKS file.
- Updates to all of these keys and certificates can be made through the UI and any tool that supports modifying the JKS file, such as the keytool in the JDK.
- When you apply the patch, default keys are created in the database and exported to a JKS file so that they are available to the local CLA2 server. The same keys can be used for remote CLA2 servers.
- The certificates and keys are not checked for expiration.
- All remote CLA2 servers must use the same keys. The CLA2 adapter must be configured to use only one signing key and one CA certificate.
The following diagram shows the relationship between the ASI JVM, with a JKS database store, and a remote CLA2 server, with a file system JKS store.