Creating an SSL keystore and a certificate for the Collector Server instance

Edit online

Use the Java™ Keytool or the IBM® Key Management Utility (IKEYMAN) to create the SSL keystore, the private key, and the public key and to associate the public key with a certificate.

About this task

The Java Keytool and IKEYMAN are both delivered with Content Collector for SAP as part of the IBM JRE and have the following fully qualified file names:
  • The Java Keytool:
    • LinuxUNIX InstallHome/java/jre/bin/keytool
    • Windows InstallHome\java\jre\bin\keytool.exe
  • IKEYMAN:
    • LinuxUNIX InstallHome/java/jre/bin/ikeyman
    • Windows InstallHome\java\jre\bin\ikeyman.exe

To use IKEYMAN, start the ikeyman program. To use the Java Keytool, take these steps:

Procedure

  1. Open a command line on the system where the server instance runs.
  2. Enter the following command on one line: 
    keytool -genkeypair
 -keyalg key_algorithm
 -keysize keysize
 -sigalg signature_algorithm
 -alias name
 -validity number_of_days
 -keystore ssl_keystore_file
    key_algorithm
    Specify the algorithm that is to be used to generate the key pair. Specify RSA.
    keysize
    Specify the size of the keys that are to be generated.
    signature_algorithm
    Specify the algorithm that is to be used to sign the certificate. Specify SHA256withRSA or SHA512WithRSA.
    name
    Specify a name of your choice for the certificate chain and the private key that are created with this command. The name must be unique in the keystore.
    number_of_days
    Specify for how many days the certificate is to be valid.
    ssl_keystore_file
    Specify a fully qualified file name for the SSL keystore.
    Tip: Because an SSL keystore is required for each instance of Collector Server, it is good practice to create the SSL keystore in the instance directory. For example, specify:
    • LinuxUNIX /home/iccsapadmin/instance1/security/https/keystore.jks
    • Windows C:\Users\iccsapadmin\AppData\Roaming\IBM\iccsap\instance1\security\https\keystore.jks
    Example:
    keytool -genkeypair
 -keyalg RSA
 -keysize 2048
 -sigalg SHA256withRSA
 -alias iccsap_instance1
 -validity 365
 -keystore /home/iccsapadmin/instance1/security/https/keystore.jks
    Important: Ensure that your SAP system can handle the level of cryptography that you specify for the keys, such as the keysize parameter. To be on the safe side, install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files on your SAP system.
  3. Enter a password when you are prompted by this message: 
    Enter keystore password:
    For example, enter:
    icc4sap
  4. Enter an answer for each prompt for your organization information.
    For example: 
    What is your first and last name? [Unknown]:
server_name

What is the name of your organizational unit? [Unknown]:
Myunit

What is the name of your organization? [Unknown]:
Myorg

What is the name of your City or Locality? [Unknown]:
Mycity

What is the name of your State or Province? [Unknown]:
Mystate

What is the two-letter country-code for this unit? [Unknown]:
US

Is <CN=myserver.com, OU=Myunit, O=Myorg , L=Mycity , ST=Unknown, C=US> correct? [no]:
yes

Enter key password for server_name (Press Enter if you want to use
the same password as for the keystore)
    For server_name, specify the fully qualified host name or the IP address of the system where Collector Server is installed.

Results

A self-signed server certificate is created.