Add/Import a certificate(s) to IBM Connect:Direct Web Service Keystore/Trust Store

Follow the procedure given below to add a certificate into an existing Keystore/Truststore.

With v6.1, IBM® Connect:Direct® Web Service now extends its web console capabilities to support import and export certificates into an existing Key Store/Truststore. To use this feature, login as an Admin user and click Certificates> Key Certificate/Trust Certificate > Import. For a UI walk-through of this feature see, IBM MediaCenter.

Note: IBM Connect:Direct Web Service Key Store/Truststore supports base64-encoded ASCII certificates. It does not support binary-encoded X.509 certificates.
For importing certificate(s) from CLI follow these steps:
  1. Navigate to following directory:
     % cd $Installation_directory/jre/bin
  2. Follow the steps below to import the certificate into Keystore.
    1. Execute the following OpenSSL command to create a PKCS12 (.p12) file. Administrator is prompted to enter key.pem pass phrase if the key is found to be encrypted.
      openssl pkcs12 -export -name <Certificate_Alias_Name> -in <PEM_Certificate> -inkey 
      <key.pem> -out <Keystore_NAME>.p12
      Enter pass phrase for key.pem:
      Enter Export Password:
      Verifying - Enter Export Password: 
    2. Issue the following commands to import the certificate into Keystore.
      Input parameter considerations:
      • <sourceKeystore> value should match <Keystore_NAME>
      • <sourceKeystorePassword> value should match the Export password supplied in step above
      • <CDWS_Keystore> value should match with the existing CDWS keystore with path $Installation_Directory/mftws/BOOT-INF/ classes/ssl-server.jks.
      UNIX
      ./keytool -importkeystore -srckeystore <sourceKeystore> -destkeystore <CDWS_Keystore> -deststorepass 
      <CDWS_KeystorePassword> -deststoretype jks -alias <Certificate_Alias_Name> -srcstorepass <sourceKeystorePassword> -srcstoretype pkcs12
      
      Windows
      keytool -importkeystore -srckeystore <sourceKeystore> -destkeystore <CDWS_Keystore> -deststorepass 
      <CDWS_KeystorePassword> -deststoretype jks -alias <Certificate_Alias_Name> -srcstorepass <sourceKeystorePassword> -srcstoretype pkcs12 
    3. Edit application.properties file and change the value of server.ssl.key-alias property with <Certificate_Alias_Name> to be used by Connect:Direct Web Services.
    4. Issue the following commands for changes to take effect.
      • For Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
      • For UNIX, issue the following command to stop and start MFTWebServices:
      % ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh
      % ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh
  3. Adding a Trusted certificate.
    1. Invoke the following commands to add a Trusted Certificate:
      UNIX
      ./keytool -import -keystore <CDWS_Truststore> -storepass 
      <CDWS_TruststorePassword> -alias <Certificate_Alias_Name> -file <Certificate to be added> -storetype jks -noprompt
      
      Windows
      keytool -import -keystore <CDWS_Truststore> -storepass 
      <CDWS_TruststorePassword> -alias <Certificate_Alias_Name> -file <Certificate to be added> -storetype jks -noprompt
    2. Issue the following commands for changes to take effect.
      • For Windows, stop and start MFTWebservices from the Task manager for changes to take effect.
      • For UNIX, issue the following command to stop and start MFTWebServices for changes to take effect:
      % ./$CDWS_INSTALLATION_DIR$/bin/stopWebservice.sh
      % ./$CDWS_INSTALLATION_DIR$/bin/startWebservice.sh
Attention: The password change of Keystore/Truststore is not possible using webconsole. If you change Keystore/Truststore password then you must sync the changed password with CDWS using ChangeKeystoreTruststoreAndUpdatePassword.jar.