Creating and importing a hostname-based, self-signed certificate - Windows

Creating a hostname-based, self-signed certificate - Windows

To create a hostname-based, self-signed certificate, run the cqm_cert_install.bat script located in the bin directory of your Db2 Query Monitor installation, cae_install_dir\bin.

Use the following syntax to control the behavior of the cqm_cert_install.bat script:

cqm_cert_install hostname args

hostname

(Required) The hostname associated with the certificate.

args

(Optional) The argument that overrides the default certificate install behavior. The following argument is supported:

-certs directory

Where directory is the directory to which created certificates are placed. If you do not specify the /certs directory option, the default directory cae_install_dir\certs is used.

Importing a certificate that you previously created or purchased - Windows

To import a certificate that you previously created or purchased, place the certificate file in the default location, cae_install_dir\certs, and run the cqm_import_certs.bat script located in the bin directory of your Db2 Query Monitor installation, cae_install_dir\bin.

Use the following syntax to control the behavior of the cqm_import_certs.bat script:

cqm_import_certs args

By default, cqm_import_certs takes the certificate from \certs folder, adds it to the defaultKeystore.jks in the main root, and puts the certificate in \addedcerts folder.

The name of the file in the certs directory will be used as the hostname (referred to as alias in the Java Keytool documentation) in the certificate store for the CAE Server.

args

(Optional) Arguments that override default certificate import behavior. These arguments include the following:

-addedcerts directory

Specifies the directory into which imported certificates are moved. The default value is addedcerts. If the importing process is successful, then cqm_import_certs moves certificates or truststores from /certs to /addedcerts.

-certs directory

Specifies the directory from which created certificates are imported. The default directory to which the certificate is placed is cae_install_dir\certs.

-importincacerts password

Import the certificates into \DB2 Query Monitor v3.3\bin\jre\lib\security\cacerts without requiring you to specify the -truststore or -storepass parameters. You can optionally use parameters -truststore or -storepass to override the default path or password for cacerts.

-srcstorepass password

The password for the imported file. There is no default password for the imported file.

Note: The generated hostname-based and localhost self-signed certificates require a password, but the script defaults to that password so it is not required when importing a certificate that was created using cqm_cert_install.bat.

-storepass password

The password to the default keystore. There is no default password for the default keystore.

-truststore default_keystore

Specifies the default_keystore, the Java™ KeyStore (JKS), which is your repository of certificates. The default value is defaultKeystore.jks.

-override

Overrides an existing certificate of the same name in defaultKeystore.jks.

The import script updates the defaultKeystore.jks file with the new certificate, and, if successful, places the imported certificate file in the cae_install_dir\addedcerts directory, by default.

Specifically, the cqm_import_certs.bat script performs the following actions:

1. Imports the certificate into defaultKeystore.jks by using the following command:

   keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 

2. Set the certificate's password to "password" by using the following command:

   keytool -keypasswd -alias "website.com" -keypass xxxxxx -new password -storetype JKS 
   -keystore "D:\Program Files\IBM\DB2 Query Monitor v3.4\defaultKeystore.jks" -storepass password
   

Examples

Importing a certificate into the default Java™ KeyStore (defaultKeystore.jks) and specifying a password:

cqm_import_certs -srcstorepass my_password