Enabling API Key authentication after upgrading

Enabling API Key authentication after upgrading from v 10.x.x or v 9.5.x to 10.2.x.

In previous versions of the product, both in fresh and upgrade installation, it was not necessary to add the server public certificate to its truststore. With the new API Key feature, which is implemented in version 10.1 Fix Pack 1 and later, the generated JWT is signed with the server private key. When the JWT is received by the server to authenticate a user, the public key associated with the private key used for signing is not present in the truststore and cannot be used. As a result, the authentication of that user is blocked.

To solve the problem, in fresh installations the server public key is automatically added to its trustore.

When you are upgrading from v 10.x.x or v 9.5.x to 10.2.x, run the following commands on the master domain manager:
  1. keytool -exportcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.p12 
    -storepass password -storetype pkcs12 -file /tmp/tls.crt -alias server -noprompt
  2. keytool -importcert -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerTrustFile.p12 
    -storepass password -storetype pkcs12 -file /tmp/tls.crt -alias mpjwtkey -noprompt
  3. Edit the value of the mp.jwt.trust.key variable from the twstrustkey to mpjwtkey in the jwt_variables.xml file located inside the WebSphere Application Server Liberty Base overrides folder. For more information about templates, see Configuring IBM Workload Scheduler using templates.

If you do not remember what the public certificate alias is called, run the following command to retrieve the list of certificates within the keystore:
keytool -list -keystore $WA_DATADIR/usr/servers/engineServer/resources/security/TWSServerKeyFile.p12 
-storepass password -storetype pkcs12