Requirements for certificate aliases to open AT-TLS socket
The CAE Server requires two private certificates, one private certificate for the webserver and another private certificate for the TLS socket which listens for CAE Agent connections.
You should import certificate for the webserver with the alias WEBSERVER and certificate for the CAE Agent TLS socket with the alias CAE_AGENT_PORTAL.
Updating the existing CAE Server keystore
Update the existing keystore to follow AT-TLS policy. If the Java keystore (defaultKeystore.jks)
is used, then you can use the script
cqm_cert_install.bat (for the
CAE Server on Windows) or the job CQMCCERT
(for the CAE Server on USS) to generate the
correct certificate aliases. Use the script
(for the CAE Server on Windows) or the job
CQMICERT (for the CAE Server on USS) to import
the new certificates to the existing keystore. The existing CAE Server keystore must contain two certificate
aliases, WEBSERVER and CAE_AGENT_PORTAL.
Importing CAE_AGENT_PORTAL certificate alias into outbound keyring on LPAR
After AT-TLS rules for inbound and outbound connections have been configured, you need to import
the public certificate for the private certificate CAE_AGENT_PORTAL from the CAE Server keystore into the CAE
Agent keyring AGENT_KEYRING_OUTBOUND. To retrieve this
public certificate, use the script
cqm_export_cert.bat (for the CAE Server on Windows) or the job CQMECERT from SAMPLIB (for the
CAE Server on USS). When the public certificate is retrieved,
it should be imported in keyring AGENT_KEYRING_OUTBOUND using SCQMSAMP library member CQMICERT.
Importing public certificate alias from inbound keyring on LPAR into the CAE Server truststore
cqm_import_certs.bat(for the CAE Server running on Windows) or job CQMICERT (for the CAE Server running on USS).
- For the CAE Server on Windows, place the certificate you want to import into the <cae_install_dir>\certs directory, then run the script in the format "cqm_import_certs.bat -importincacerts" to add the certificate to <cae_install_dir>\bin\jre\lib\security\cacerts.
- The CAE Server on USS does not have its own truststore repository. The public certificate alias should be imported into CAE Server keystore.