Upgrading in a mixed-version environment when using default certificates
If your environment contains components, such as agents, Dynamic Workload Console, dynamic domain managers, and so on, at various
version levels and you use default certificates, ensure certificates across the
environment are consistent.For example, you might need to install an agent at version
10.2.x,
and connect it to a back-level master domain manager.
If you are
using default certificates, you need to convert them to the new format and make them
available to all components before you start the upgrade, as described in the
following steps:
-
Set the IBM® Workload Scheduler
environment, as described in Setting the environment variables.
-
To ensure the keytool and openssl
commands start correctly on all operating systems, browse to the folder where
the keytool and openssl commands are
located and launch the commands as follows:
cd <TWS_DIR>/JavaExt/jre/jre/bin
./keytool -importkeystore -srckeystore TWSServerKeyFile.jks -destkeystore
<path_of_extracted_certs>/server.p12 -deststoretype pkcs12
cd <TWS_DIR>/tmpOpenSSL64/1.1/bin/openssl
./openssl pkcs12 -in <path_of_extracted_certs>/server.p12 -out
<path_of_extracted_certs>/tls.tot
The location of
the
TWSServerKeyFile.jks varies depending on the
IBM Workload Scheduler version you have
currently installed, as follows:
- versions 9.5 and later
- TWA_DATA_DIR/usr/servers/engineServer/resources/security
- versions 9.4 and earlier
- TWA_home/WAS/TWSProfile/etc
-
Open the tls.tot file with any text editor.
-
From the tls.tot file, copy the private key to a new file
named tls.key.
The
tls.key file must be structured as
follows:
----BEGIN ENCRYPTED PRIVATE KEY----
<private_key>
----END ENCRYPTED PRIVATE KEY----
Note: Insert a carriage return after each key, so that an empty
line is inserted after each key.
-
From the tls.tot file, copy the public key to a new file
named tls.crt.
The
tls.crt file must be structured as
follows:
----BEGIN CERTIFICATE----
<public_key>
----END CERTIFICATE----
Note: Insert a carriage return after each key, so that an empty
line is inserted after each key.
-
Copy the contents of the tls.crt file into a new file
named ca.crt. If you want to upgrade a dynamic domain manager, also copy the
contents of the tls.crt file into another new file named
jwt.crt.
-
Create a file named tls.sth containing the passphrase you
have specified for creating the .p12 certificate in step
2,
encoded in base64 format. To create the
tls.sth file, use the following command:
./secure -password your_password -base64 e -out
<path_of_extracted_certs>/tls.sth
If you are using a version earlier than
10.
x, you can find the
secure script
in the installation package of the
10.2.3
version you are upgrading to. You can launch the script from on of the following paths:
- master domain manager
and agent
-
<10.2.3_extracted_image_dir>/TWS/<interp>/Tivoli_LWA_<interp>/TWS/bin
- Dynamic Workload Console
-
<10.2.3_extracted_image_dir>/DWC/<interp>/bin
where
- <interp>
- is the operating system you are installing on
As an alternative, you can use the following command on UNIX workstations:
echo -n "passwordToEncode" | base64 >> tls.sth
-
Browse to the GSKit folder and extract the client certificates from the TWA_DATA_DIR/ssl/GSKit folder by running the following commands,
depending on the IBM Workload Scheduler version you have
currently installed:
cd <TWS_DIR>/tmpGSKit64/8/bin
- versions 9.5 and later
-
./gsk8capicmd_64 -cert -extract -db <TWA_DATA_DIR>/ssl/GSKit/TWSClientKeyStore.kdb
-stashed -label client -target <path_of_extracted_certs>/client.crt
- versions 9.4 and earlier
-
./gsk8capicmd_64 -cert -extract -db <TWS_DIR>/ssl/GSKit/TWSClientKeyStore.kdb
-stashed -label client -target <path_of_extracted_certs>/client.crt
-
Create a folder named additionalCAs in the folder where
you extracted the certificates and move the client.crt file
created in step 8 to
the additionalCAs folder.
-
Insert the client.crt in the
additionalCAs folder when providing the certificates to
the installation script with the sslkeysfolder
parameter.
-
Assign the correct permissions (755) and ownerships to extracted certificates,
as follows:
chmod -R 755 <path_of_extracted_certs>
You have now converted the certificates to the required .PEM format.
You can now use the new default certificates for installing or upgrading IBM Workload Scheduler components, as follows:
- If your master domain manager
is at least at 10.1 FP1 level
- you can copy the certificates you converted with the above procedure to the
/depot folder on the master domain manager and install
or upgrade dynamic agents and
fault-tolerant agents
specifying the wauser and
wapassword parameters. For all remaining
components, copy the certificates locally and launch the installation or
upgrade specifying the sslkeysfolder and
sslpassword parameters.
- If your master domain manager
is at a version earlier than 10.1 FP1 level
- copy the certificates you converted with the above procedure locally on all
components and launch the installation or upgrade specifying the
sslkeysfolder and sslpassword
parameters.
For more information about all installation and upgrade parameters, see the
serverinst, dwcinst, and
twsinst scripts in Reference.