Upgrading encryption key strength
When you upgrade the server from version 6.0.1.1 or earlier to a version later than version 6.0.1.1, you can upgrade the SSL encryption.
- Upgrade the HTTPS certificate for the server:
- On the server, open a command-line window to the server_install/opt/tomcat/conf folder,
where server_install is the server installation
folder.The default server installation directory is /opt/ucd/server on Linux™ and C:\Program Files\ucd\server on Windows™.
- Delete the existing certificate with the following command:
keytool -delete -alias tomcat -keystore tomcat.keystore -storepass changeit
Note: Each command in this example must be written on one line. Also, the commands in the following examples must be written on one line. The commands are written on multiple lines for clarity. - Create a certificate with the following command:
Forkeytool -genkey -alias tomcat -storepass changeit -keypass changeit -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 7305 -dname CN=host_name -keystore tomcat.keystore
host_name
, use the host name of the server. - Go to the folder app_data/conf.
- Delete the existing entry to the keystore with the following
command:
keytool -delete -alias server -keystore server.keystore -storepass changeit
- Create an entry to the keystore with the following command:
Forkeytool -genkey -alias server -storepass changeit -keypass changeit -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 7305 -dname CN=host_name -keystore server.keystore
host_name
, use the host name of the server.
- On the server, open a command-line window to the server_install/opt/tomcat/conf folder,
where server_install is the server installation
folder.
- For each of your agent relays, upgrade the encryption with
the following steps:
- In a command-line window, go to the relay_install/conf/jms-relay folder, where relay_install is the relay installation folder.
- Delete the existing entry in the keystore for the agent
relay with the following command:
keytool -delete -alias agentrelay -keystore agentrelay.keystore -storepass changeit
- Add an entry with the new encryption level with the
following command:
Forkeytool -genkey -alias agentrelay -keystore agentrelay.keystore -storepass changeit -keypass changeit -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 7305 -dname CN=host_name
host_name
, use the host name of the server.
- If you are using mutual encryption between servers and
agents, upgrade the encryption on each agent:
- In a command-line window, go to the agent_install/conf/jms-relay folder, where agent_install is the agent installation folder.
- Delete the existing entry in the keystore for the agent
with the following command:
Replace the alias variable with the alias of the server certificate in the agent keystore. The keystore_file variable represents the keystore file. The default name of the keystore file is agent.keystore. To find the alias, run the following command, and look for the alias name in the output:keytool -delete -alias alias -keystore keystore_file -storepass changeit
keytool -list -v -keystore keystore_file
Note:Although agents and relays that use the JMS communication protocol cannot establish connections with IBM UrbanCode Deploy v7.2.0 and later, the references to JMS persist in some file names, property names, folder names, and directory names.
For example, the following names that are associated with JMS are still used in IBM UrbanCode Deploy v7.2.0 and later: agentrelay.jms_proxy.name, agentrelay.jms_proxy.id, jms-relay.log directory, and jms-relay folder.