Configuring TLS certificates for the IBM Sterling Transformation Extender Apache Tomcat application server

A PKCS12 file can be used to provide a public key certificate and private key for the Design Server backend server and Runtime Servers. By default, a self-signed certificate and private key are created upon installation and used by these components. Alternatively, a user-provided PKCS12 file can be used. This file can be created in multiple ways. For example, the openssl CLI utility can be used to create a PKCS12 file from PEM files.

If a user-provided PKCS12 file is used for the Design Server backend server, then the root CA certificate for the server certificate should be provided to the web UI server (client) application. The CA certificate is provided as a PEM file. See the section on configuring TLS certificates for the web UI server.

Also, when a user-provided certificate is used, communication between Design Server and Runtime Server requires an update to the trust store which is used by the Design Server backend server to authenticate outbound TLS connections. See the documentation on outbound connections to Runtime Servers.

The following values under tomcat/keystore in config.yaml must be updated with values which are appropriate for the user-provided PKCS12 file. The instructions below indicate when these updates should be made.
  1. tomcat/keystore/file gives the file name of the PKCS12 file.
  2. tomcat/keystore/password gives the password which is used to access the keystore file.
  3. tomcat/keystore/certificateAlias gives the name of the certificate within the PKCS12 file.
Steps for using a user-provided PKCS12 file for Windows:
  1. Perform the Design Server installation on Windows without providing Tomcat TLS configuration.
  2. With administrator privileges, run the clean.bat utility script in folder C:\Program Files\IBM\TransformationExtender_<version>\DesignServer. This will perform a partial uninstallation. The install.bat, stop.bat, and start.bat utility scripts are also in this folder.
  3. Update the values given above in config.yaml. If other changes to config.yaml should be made for client TLS configuration or Design Server TLS configuration for outbound connections to Runtime Servers, they can be made at this step. Copy whatever files are needed for the other changes to the appropriate locations.
  4. With administrator privileges, run install.bat. This will reinstall the application with the changes which were made to config.yaml. A PKCS12 file with a self-signed certificate and key will be generated.
  5. With administrator privileges, stop the application by running stop.bat.
  6. Backup the generated PKCS12 file at C:\Program Files\IBM\TransformationExtender_<version>\restapi\tomcat\server
  7. Copy the user-provided PKCS12 file to the location above.
  8. With administrator privileges, start the application by running start.bat.
Steps for using a user-provided PKCS12 file for native Linux installations:
  1. Before installation, update the values given above in config.yaml.z If other changes to config.yaml should be made for client TLS configuration or Design Server TLS configuration for outbound connections to Runtime Servers, they can be made at this step.Perform the installation. A PKCS12 file will be generated with a self-signed certificate and key at <root installation directory>/tomcat-context/install/restapi/tomcat/server/
  2. Backup the generated PKCS12 file which was created during installation.
  3. Replace the file with the user-provided PKCS12 file.
  4. If other files should be added for other TLS configuration, they should be added at this step.
  5. Start the application.