Creating a single truststore manually

Agile Service Manager can use only one truststore file for a single discovery. If you want to use certificates from several truststores, you must export those truststores to a single file. You can extract the certificates and add them to the keystore and truststore files manually.

About this task

Procedure

  1. Extract all certificates from the common keystore or truststore for each server by completing the following steps:
    1. In the WebSphere® Application Server Admin Console, click Security > SSL certificate and key management.
    2. Click Key stores and certificates.
    3. Click NodeDefaultTrustStore.
    4. Click Signer certificates.
    5. Select a signer certificate, and click Extract.
    6. Enter a unique path and file name for the signer certificate.
      For example, enter C:\temp\signer1.arm.
    7. Click OK.
    8. Repeat this procedure for each signer certificate in the truststore.
    9. Repeat this procedure for all servers that are to be discovered.
  2. If you use the JKS truststores, add the exported signer certificates to the .jks files. To add them to the default DummyServerTrustFile.jks and DummyClientTrustFile.jks files, complete the following steps. If you use PKCS12 truststores, follow the same procedure for key.p12 and trust.p12 files:
    1. To open iKeyman, from the WebSphere_Root/profiles/dmgr_profile/bin directory, run ikeyman.sh, or ikeyman.bat.
    2. Click Key Database File > Open.
    3. Select the DummyServerTrustFile.jks file from one of the following directories:
      • WebSphere_Root/profiles/dmgr_profile/etc
      • WebSphere_Root/profiles/stand-alone_server_profile/etc
    4. When prompted for a password, type WebAS.
    5. Click Add, and select one of the signer certificates that you extracted in step 1.
    6. Repeat the previous step for each signer certificate that you must add.
    7. Repeat this procedure to add the exported signer certificates to the WebSphere_Root/profiles/dmgr_profile/etc/DummyClientTrustFile.jks file.
  3. Retrieve the client side SSL certificates from the WebSphere Application Server. If new certificates are not generated, the default ones, DummyClientTrustFile.jks and DummyClientKeyFile.jks, or trust.p12 and key.p12, are typically in one of the following directories:
    • WebSphere_Root/profiles/dmgr_profile/etc
    • WebSphere_Root/profiles/stand-alone_server_profile/etc

    The default passphrase for dummy files is WebAS.

  4. If you want to use different certificates, do not attempt to edit the certificates. Delete the old access list entry and create a new one.