Enabling API Key authentication after upgrading
Enabling API Key authentication after upgrading from v 10.x.x or v 9.5.x to 10.2.x.
In previous versions of the product, both in fresh and upgrade installation, it was not necessary to add the server public certificate to its truststore. With the new API Key feature, which is implemented in version 10.1 Fix Pack 1 and later, the generated JWT is signed with the server private key. When the JWT is received by the server to authenticate a user, the public key associated with the private key used for signing is not present in the truststore and cannot be used. As a result, the authentication of that user is blocked.
To solve the problem, in fresh installations the server public key is automatically added to its trustore.
-
keytool -exportcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.p12 -storepass password -storetype pkcs12 -file /tmp/tls.crt -alias server -noprompt
-
keytool -importcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerTrustFile.p12 -storepass password -storetype pkcs12 -file /tmp/tls.crt -alias mpjwtkey -noprompt
-
Edit the value of the mp.jwt.trust.key variable from the twstrustkey to mpjwtkey in the jwt_variables.xml file located inside the WebSphere Application Server Liberty Base overrides folder. For more information about templates, see Configuring IBM Workload Scheduler using templates.
keytool -list -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.p12
-storepass password -storetype pkcs12