Add/Import a certificate(s) to IBM Connect:Direct Web Service Keystore/Trust Store

Edit online

Follow the procedure given below to add a certificate into an existing Keystore/Truststore.

To use this feature, login as an Admin user.

  1. Click Import certificate in the toolbar.
  2. In the Import certificate form, click Browse key certificate.
  3. Select a valid Base64-encoded PEM certificate file.
  4. Enter the Key passphrase.
  5. (Optional) Click Key certificate data (read-only) to preview the certificate content.
  6. Click Import key certificate.

For a UI walk-through of this feature see, IBM MediaCenter.

Note: IBM® Connect:Direct® Web Service Key Store/Truststore supports base64-encoded ASCII certificates. It does not support binary-encoded X.509 certificates.
For importing certificate(s) from CLI follow these steps:
  1. Navigate to following directory: 
     % cd $Installation_directory/jre/bin
  2. Follow the steps below to import the certificate into Keystore.
    1. Execute the following OpenSSL command to create a PKCS12 (.p12) file. Administrator is prompted to enter key.pem pass phrase if the key is found to be encrypted. 
      openssl pkcs12 -export -name <Certificate_Alias_Name> -in <PEM_Certificate> -inkey 
<key.pem> -out <Keystore_NAME>.p12
Enter pass phrase for key.pem:
Enter Export Password:
Verifying - Enter Export Password:
    2. Issue the following commands to import the certificate into Keystore.
      Input parameter considerations:
      • <sourceKeystore> value should match <Keystore_NAME>
      • <sourceKeystorePassword> value should match the Export password supplied in step above
      • <CDWS_Keystore> value should match with the existing CDWS keystore with path $Installation_Directory/mftws/BOOT-INF/ classes/ssl-server.jks.
      UNIX
./keytool -importkeystore -srckeystore <sourceKeystore> -destkeystore <CDWS_Keystore> -deststorepass 
<CDWS_KeystorePassword> -deststoretype jks -alias <Certificate_Alias_Name> -srcstorepass <sourceKeystorePassword> -srcstoretype pkcs12

Windows
keytool -importkeystore -srckeystore <sourceKeystore> -destkeystore <CDWS_Keystore> -deststorepass 
<CDWS_KeystorePassword> -deststoretype jks -alias <Certificate_Alias_Name> -srcstorepass <sourceKeystorePassword> -srcstoretype pkcs12
    3. Edit application.properties file and change the value of server.ssl.key-alias property with <Certificate_Alias_Name> to be used by Connect:Direct Web Services.
    4. Issue the following commands for changes to take effect.
      • For Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
      • For UNIX, issue the following command to stop and start MFTWebServices:
      % ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh
% ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh
  3. Adding a Trusted certificate.
    1. Invoke the following commands to add a Trusted Certificate: 
      UNIX
./keytool -import -keystore <CDWS_Truststore> -storepass 
<CDWS_TruststorePassword> -alias <Certificate_Alias_Name> -file <Certificate to be added> -storetype jks -noprompt

Windows
keytool -import -keystore <CDWS_Truststore> -storepass 
<CDWS_TruststorePassword> -alias <Certificate_Alias_Name> -file <Certificate to be added> -storetype jks -noprompt
    2. Issue the following commands for changes to take effect.
      • For Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
      • For UNIX, issue the following command to stop and start MFTWebServices for changes to take effect:
      % ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh
% ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh
Attention: The password change of Keystore/Truststore is not possible using webconsole. If you change Keystore/Truststore password then you must sync the changed password with CDWS using ChangeKeystoreTruststoreAndUpdatePassword.jar.