Updating the keystore for user authentication

ML for IBM z/OS® uses a keystore to manage digital certificates, encryption keys, and key mappings for network connection and user authentication. You already created a RACF® keyring-based keystore (JCERACFKS) during the initial configuration of MLz. You must update the keystore if the certificate expires or if you just want to change to another keystore.

Procedure

  1. Change to the $IML_INSTALL_DIR directory of MLz.
  2. Run the following command to stop all the MLz services and processes: 
    alnsamp/aln-services.sh stop -s <scoring_name ...>

    where ... indicates that you can specify all your scoring services, separated by a space.

  3. Update the keystore for the MLz services and processes from the USS environment.
    1. Update the keystore for the MLz UI and core services by running the following command and follow the screen prompts to complete the update.
      alnsamp/aln-update-keystore.sh
      Note:

      Due to the keystore change:

      • You must reenter the admin password.
      • If you are using the Db2® for z/OS metadata objects repository, then you must reenter the Db2 for z/OS username and password.
      • If the metadata objects repository is an embedded database, then you need not enter the username and password.
    2. Run the following command to update the keystore for all scoring service instances: 
      bin/server.sh update <serverName>

      From the update menu, select option 5 and follow the sub-menu to update the keystore for the specified scoring server.

    3. If MLz is running an ONNX compiler service, you must change to the $IML_INSTALL_ENT_DIR directory. Then, run the following command to update the keystore for the ONNX service.
      iml-onnx/onnx-compiler/onnx-compiler.sh update
    4. If MLz is running in the Model development environment, you must change to the $IML_INSTALL_ENT_DIR directory. Then, run the following command to update the keystore for the Model development environment.
      imlpython/bin/model-dev-environment.sh updatecert
    5. If MLz is running a Trustworthy AI service, you must change to the $IML_INSTALL_ENT_DIR directory. Then, run the following command to update the keystore for the Trustworthy AI service:
      trust-ai/trust-ai.sh update
  4. Run the following command to restart all MLz services and processes: 
    alnsamp/aln-services.sh start -s <scoring_name ...>