Configuring Keystore/Truststore

To establish a secure connection between Connect:Direct, Connect:Direct Web Services and other clients, you need a Keystore and Truststore that contains necessary keys and digital certificates. IBM® Connect:Direct® Web Service, by default is installed and configured with a default Keystore/Truststore and certificates. To use a different Keystore and Truststore see, Changing Keystore/Truststore using Web Console and Changing Keystore/Truststore using a CLI procedure.

Attention: After installation with CA Signed certificate, the key certificate password will be same as keystore password provided during installation.
Note: The following software/tool are required to implement some Keystore/Truststore management procedures described in the following sections.
  • OpenSSL

    An SSL/TLS toolkit and cryptographic library. Download it from here.

  • IKEYCMD

    A Java-based tool that can be used to manage keys, certificates and certificate requests. IKEYCMD is installed with the IBM Connect:Direct Web Service installation package at /installdirectory/jre/bin.

  • Keytool

    Java Keytool is a key and certificate management utility. Keytool is installed with the IBM Connect:Direct Web Service installation package at /installdirectory/jre/bin.

Resetting the Keystore/Truststore/Key Certificate password and syncing with Connect:Direct Web Services

The password for keystore/trustore is the password provided for the keystore at the time of installation. To do this, follow these steps:
  1. Use the following command to manually reset the Keystore/Truststore/Key Certificate password:
    Command to change Keystore/Truststore password
    keytool -storepasswd -Keystore <path_of_Keystore/Truststore_with_name>
    Enter Keystore password:
    New Keystore password:
    
    Command to change Key Certificate password
    keytool -keypasswd -Keystore <path_of_Keystore/Truststore_with_name> -alias <key_certificate_alias>
    Enter Keystore password:
    Enter key password for <key_certificate_alias>:
    New key password for <key_certificate_alias>:
    Re-enter new key password for <key_certificate_alias>:
    Password change successful for alias <key_certificate_alias>
    
  2. Go to the following path: <Installation_dir/mftws/BOOT-INF/classes> and run ChangeKeystoreTruststoreAndUpdatePassword.jar to sync the new password with CDWS.
    Note: Ensure that you have CDWS admin password ready and the database service is up before running the ChangeKeystoreTruststoreAndUpdatePassword.jar utility.
  3. Depending on your environment type, issue one of the following commands:
    • In Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
    • In UNIX, issue the following command to stop and start MFTWebServices for changes to take effect.
    % ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh
    % ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh