Add/Import a certificate(s) to IBM Connect:Direct Web Service Keystore/Trust Store
Follow the procedure given below to add a certificate into an existing Keystore/Truststore.
With v6.1, IBM® Connect:Direct® Web Service now extends its web console capabilities to support import and export certificates into an existing Key Store/Truststore. To use this feature, login as an Admin user and click Certificates> Key Certificate/Trust Certificate > Import. For a UI walk-through of this feature see, IBM MediaCenter.
Note: IBM
Connect:Direct Web Service Key
Store/Truststore supports base64-encoded ASCII certificates. It does not support binary-encoded
X.509 certificates.
For importing certificate(s) from CLI follow these steps:
- Navigate to following directory:
% cd $Installation_directory/jre/bin
- Follow the steps below to import the certificate into Keystore.
- Execute the following OpenSSL command to create a PKCS12 (.p12) file.
Administrator is prompted to enter key.pem pass phrase if the key is found to be
encrypted.
openssl pkcs12 -export -name <Certificate_Alias_Name> -in <PEM_Certificate> -inkey <key.pem> -out <Keystore_NAME>.p12 Enter pass phrase for key.pem: Enter Export Password: Verifying - Enter Export Password:
- Issue the following commands to import the certificate into Keystore. Input parameter considerations:
- <sourceKeystore> value should match <Keystore_NAME>
- <sourceKeystorePassword> value should match the Export password supplied in step above
- <CDWS_Keystore> value should match with the existing CDWS keystore with path $Installation_Directory/mftws/BOOT-INF/ classes/ssl-server.jks.
UNIX ./keytool -importkeystore -srckeystore <sourceKeystore> -destkeystore <CDWS_Keystore> -deststorepass <CDWS_KeystorePassword> -deststoretype jks -alias <Certificate_Alias_Name> -srcstorepass <sourceKeystorePassword> -srcstoretype pkcs12 Windows keytool -importkeystore -srckeystore <sourceKeystore> -destkeystore <CDWS_Keystore> -deststorepass <CDWS_KeystorePassword> -deststoretype jks -alias <Certificate_Alias_Name> -srcstorepass <sourceKeystorePassword> -srcstoretype pkcs12
- Edit application.properties file and change the value of
server.ssl.key-alias
property with<Certificate_Alias_Name>
to be used by Connect:Direct Web Services. - Issue the following commands for changes to take effect.
- For Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
- For UNIX, issue the following command to stop and start MFTWebServices:
% ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh % ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh
- Execute the following OpenSSL command to create a PKCS12 (.p12) file.
Administrator is prompted to enter key.pem pass phrase if the key is found to be
encrypted.
- Adding a Trusted certificate.
- Invoke the following commands to add a Trusted Certificate:
UNIX ./keytool -import -keystore <CDWS_Truststore> -storepass <CDWS_TruststorePassword> -alias <Certificate_Alias_Name> -file <Certificate to be added> -storetype jks -noprompt Windows keytool -import -keystore <CDWS_Truststore> -storepass <CDWS_TruststorePassword> -alias <Certificate_Alias_Name> -file <Certificate to be added> -storetype jks -noprompt
- Issue the following commands for changes to take effect.
- For Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
- For UNIX, issue the following command to stop and start MFTWebServices for changes to take effect:
% ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh % ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh
- Invoke the following commands to add a Trusted Certificate:
Attention: The password change of Keystore/Truststore is not possible using
webconsole. If you change Keystore/Truststore password then you must sync the changed password with
CDWS using
ChangeKeystoreTruststoreAndUpdatePassword.jar
.