Configuring cryptographic keystore password and encryption

Edit online

Configure a unique password to the cryptographic keystore, and encrypt it with the AES encryption algorithm.

About this task

To configure SSO keystore passwords and encryption, see: Configuring SSO keystore passwords and encryption.

Procedure

  1. Contact IBM Support to obtain the default keystore password.
  2. Stop the License Metric Tool server.
  3. Change the keystore password to a custom one.
    • For application update 9.2.26 and later, perform the following steps.
      1. Run the following command.
        • Linux <install_dir>/jre/jre/bin/keytool -storepasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/key_server.p12 -storetype PKCS12
        • Windows <install_dir>\jre\jre\bin\keytool.exe -storepasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.p12 -storetype PKCS12
      2. Provide the default keystore password that you obtained in step 1.
      3. Provide your custom keystore password and repeat it.
    • For application update 9.2.25 and earlier, perform the following steps.
      1. To list the contents of the application keystore, run the following command.
        • Linux <install_dir>/jre/jre/bin/keytool -list -keystore <install_dir>/wlp/usr/servers/server1/resources/security/key_server.jceks -storetype JCEKS
        • Windows <install_dir>\jre\jre\bin\keytool.exe -list -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.jceks -storetype JCEKS
        When prompted, provide the keystore password that you obtained in step 1. 
        
Enter keystore password:

Keystore type: JCEKS
Keystore provider: IBMJCE

Your keystore contains 1 entry

default, Nov 15, 2013, keyEntry,
Certificate fingerprint (SHA1): 
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
        Note: The list can consist of more than one entry, if Single Sign On is configured for the product. The underlined element is an alias for the listed entry, and it is required to complete next steps.
      2. Ensure that you change the password for all the listed entries. Run the following command, and specify the alias at the end of the command line.
        • Linux <install_dir>/jre/jre/bin/keytool -keypasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/key_server.jceks -storetype JCEKS -alias default
        • Windows <install_dir>\jre\jre\bin\keytool.exe -keypasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.jceks -storetype JCEKS -alias default
        Set up a single password for all the listed entries. For more than one entry, ensure the passwords are identical.
        
Enter keystore password:
Enter key password for <default>:
New key password for <default>:
Re-enter new key password for <default>:
Password change successful for alias <default>
      3. To change the keystore password, run the following command.
        • Linux <install_dir>/jre/jre/bin/keytool -storepasswd -keystore <install_dir>/wlp/usr/servers/server1/resources/security/key_server.jceks -storetype JCEKS
        • Windows <install_dir>\jre\jre\bin\keytool.exe -storepasswd -keystore <install_dir>\wlp\usr\servers\server1\resources\security\key_server.jceks -storetype JCEKS
      When prompted, provide the keystore password that you obtained in step 1. Then, set up the new keystore password. The password must match the password that you set up for the listed entries in step 3.b.
  4. To encrypt your keystore password with AES, perform the following steps.
    1. Set the JAVA_HOME variable.

      Linux export JAVA_HOME=<install_dir>/jre/jre

      Windows set JAVA_HOME=<install_dir>\jre\jre

    2. Run the following command.

      Linux <install_dir>/wlp/bin/securityUtility encode --encoding=aes

      Windows <install_dir>\wlp\bin\securityUtility.bat encode --encoding=aes

      Whne prompted, provide your current keystore password.

      
Enter text:
Re-enter text:
{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
  5. Update the keystore password in the server.xml file.
    The server.xml file is located in the following folder.
    • Linux <install_dir>/wlp/usr/servers/server1/server.xml
    • Windows <install_dir>\wlp\usr\servers\server1\server.xml
    Enter the value generated in step 4 in the following code line.
     <keyStore id='defaultKeyStore' location='<keystore_file>' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' type='<type>'/>
    Where:
    <keystore_file>
    Starting from application update 9.2.26, the keystore file is: key_server.p12. For earlier application updates, it is: key_server.jks. By default, the file is stored in the following location: <install_dir>\wlp\usr\servers\server1\resources\security.
    <type>
    Starting from application update 9.2.26, the type of the certificate is PKCS12. For earlier application updates, the type is JCEKS.
  6. Start the License Metric Tool server.