Configuring keystore and truststore files

Keystore and truststore files must be created and configured in Sterling Control Center before any connections can be secured. The Sterling Control Center engine uses the same keystore and truststore files for all secure listeners and client connections, except for Cognos® Business Intelligence server, which generates its own self-signed certificate for secure communications.

Before you begin

Consult your system security administrator for any site-specific security requirements.
Obtain certificates. The Sterling Control Center engine needs the private key and certificate for the engine. In addition, the engine needs the CA or self-signed certificates for any certificates the engine is to trust. Take one of the following actions:
- Generate a CSR to obtain the certificate from a third-party certificate authority (CA).
- Create a self-signed certificate.
When you are creating the certificate for the Sterling Control Center engine, keep in mind that it is also used for the web server. Consider choosing certificates that do not cause common browser security warnings, such as the certificate common name not matching the address of the website.
On the computer where the engine is installed, create the keystore file that contains the private key and public certificate for the engine. This file must be in JKS format.
Important: The passphrase for the certificate and the keystore must be the same.

On the computer where the engine is installed, create the truststore file that contains all CA and self-signed certificates you want the engine to trust. This file must be in JKS format.
Keep the following important considerations in mind when dealing with the truststore file:
- If you copy the truststore to the default location in Java, installation directory/jre/lib/security/cacerts, it can be overwritten when you upgrade Sterling Control Center or Java. Use another location to prevent the truststore from being overwritten.
  Important: The default JKS trust file (cacerts) installed with Sterling Control Center should only be used in a non-production environment. During upgrade, maintenance, and reinstallation this file is over-written (or removed as with uninstallation). If you customize this file and use it as your truststore, you will lose all of your updates. Instead, create a copy of cacerts to store your CA authentication information, and update the directory path as appropriate.
- The Cognos Business Intelligence server self-signed certificate is automatically added to the Sterling Control Center engine truststore when Cognos is configured for secure connections.
- If you create and configure a new truststore file after you configure Cognos Business Intelligence server for secure connections, you must repeat the steps for configuring Cognos Business Intelligence server for secure connections. This action ensures that the self-signed certificate for Cognos is copied into the engine truststore.

Procedure

If necessary, stop the engine.
Use one of the following methods to run the configCC utility:
Microsoft Windows UNIX

Double-click configCC.bat in installation directory\bin. Run the configCC.sh utility from installation directory/bin.
Answer N (no) to questions in other sections until you reach the keystore and truststore section of configCC.
In the keystore and truststore configuration section of configCC, specify the keystore location and password, and the truststore and password.
Perform any additional steps in configCC.
Restart the Sterling Control Center engine.