Sample Use Case: Adding a PEM Certificate with key into IBM Connect:Direct Web Service Keystore

Follow the procedure given below to add a PEM formatted (.crt) certificate into Web Service's Key Store.

With v6.1, IBM® Connect:Direct® Web Service extends its web console capabilities to support Keystore/Truststore management. For a UI walk-through on how to add a PEM certificate into IBM Connect:Direct Web Service Keystore see, YouTube> IBM Connect:Direct.

Ensure that you've installed OpenSSL before you begin configuring the Keystore/Truststore. For the OpenSSL 3.0.0 release, and later releases derived from that, the Apache License v2 applies. Any release made before OpenSSL 3.0.0, the dual OpenSSL and SSLeay license applies.

  1. Obtain the PEM-encoded certificate.
  2. Execute the following OpenSSL command to create a PKCS12 (.p12) file.
    openssl pkcs12 -export -name <Certificate_Alias_Name> -in <PEM_Certificate> -inkey 
    <PEM_KEY> -out <Keystore_NAME>.p12
  3. Execute the following command to import the PKCS12 (.p12) certificate into a JKS Keystore.
    keytool -importKeystore -destKeystore <NEW_JKS_Keystore_NAME> -deststoretype jks
    -srcKeystore <PKCS12_KESTORE_NAME> -srcstoretype pkcs12 -alias <Certificate_Alias_Name> 
  4. Import the CA-signed certificate into the IBM Connect:Direct Web Service Keystore.
    OS: Unix
    ./ikeycmd -cert -import -db <NEW_JKS_Keystore_NAME> -target <CDWS_Keystore> -target_pw
    <CDWS_KeystorePassword>-label <Certificate_Alias_Name> -pw
    OS: Windows
    ikeycmd -cert -import -db <NEW_JKS_Keystore_NAME> -target <CDWS_Keystore> -target_pw
    <CDWS_KeystorePassword>-label <Certificate_Alias_Name> -pw
  5. Edit file and change the value of server.ssl.key-alias property with <Certificate_Alias_Name> to be used by Connect:Direct Web Services.
  6. Execute the ChangeKeystoreTruststoreAndUpdatePassword.jar file available at mftws/BOOT-INF/classes.
    java -jar ChangeKeystoreTruststoreAndUpdatePassword.jar 
    Enter Admin Password:
    Please Select from below options:
    1. Type K and Enter to Change Keystore OR Sync Keystore Password with CDWS.
    2. Type T and Enter to Change Truststore OR Sync Truststore Password with CDWS.
    3. Type C and Enter to Sync Key Certificate Password with CDWS.
    4. Type Q and Enter to Exit.
    Enter your Choice: K
    Enter the complete path of Keystore: (including fileName(.jks)):
    Enter Keystore Password:
    Confirm Password:
    Keystore details updated successfully
    Press Y to Continue OR Q to Exit:Q
    Exiting the Utility.
  7. Depending on your environment type, issue one of the following commands:
    • In Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
    • In UNIX, issue the following command to stop and start MFTWebServices for changes to take effect.