Configuring your SSL clients

keytool -import -alias aliasname -file certfile -keystore keystorefile
   -storepass password -noprompt

Where the options are:

-import

Import a certificate.

-alias aliasname

The name under which the certificate is to be stored.

-file certfile

The file that contains the certificate.

-keystore keystorefile

The key ring into which the certificate is to be imported.

-storepass password

The password used to protect the integrity of the key ring.

-noprompt

Removes the need to confirm that the certificate is imported.

This is an example of the command used to create a key ring containing the server's signer certificate:

keytool -import -alias exampleServer -file exampleServerCertKT.arm -keystore clientStore.jks 
   -storepass default -noprompt

keytool -genkey -alias aliasname -keysize numericvalue -dname distname
   -keystore location -keypass password -storepass password
   -keyalg algorithm

The options are:

-genkey

Generates a key pair and wraps the public key into a self-signed certificate.

-alias aliasname

Defines the alias name that identifies the store containing the self-signed certificate and private key.

-keysize numericvalue

Defines the size of the key.

-dname distname

Specifies the X.500 distinguished name to be associated with the alias. This is used as the issuer and subject fields of the self-signed certificate. The distinguished name consists of a number of fields separated by commas in the following format: An example of an X.500 distinguished name is shown here:

"cn=someserver.location.ibm.com,o=IBM,ou=IBMGB,
   l=Winchester,s=Hants,c=GB"

The abbreviations in the distinguished name have the following meaning:

• cn = common name
• o = organization
• ou = organization unit
• l = city/locality
• s = state/province
• c = country name

-keystore location

The key ring file location. For example: ktserverss.jks

-keypass password

The password used to protect the private key. Set this to the same value as the -storepass password, to enable the CICS® Transaction Gateway to establish a connection over SSL.

-storepass password

The password used to protect the integrity of the key ring. Set this to the same value as the -keypass password, to enable the CICS Transaction Gateway to establish a connection over SSL.

-keyalg algorithm

The algorithm to be used to generate the key pair.

This is an example of the keytool command used to create a key ring containing a single self-signed certificate:

keytool -genkey -alias exampleClientCert -keysize 1024 
   -dname "cn=John Doe,o=IBM,ou=IBMGB,l=Winchester,s=Hants,c=GB" 
   -keystore clientStore.jks -keypass default -storepass default 
   -keyalg RSA

keytool -export -alias aliasname -keystore location
   -storepass password -file filename -rfc

Where the options are:

-export

Export a certificate.

-alias aliasname

Name of the key (in the key ring) to export.

-keystore location

The key ring location.

-storepass password

The password used to protect the integrity of the key ring.

-file filename

The name of the file to export the certificate to.

-rfc

Export the certificate in RFC format (Base64 encoded ASCII).

keytool -export -alias exampleClientCert -keystore clientStore.jks -storepass default 
   -file exampleClientCertKT.arm -rfc