Setting up collectives with third-party certificates
You can configure and change a collective setup so that it uses SSL certificates that are signed by a third-party certificate authority. SSL protects communication between controllers and members.
Before you begin
Each server in a collective has two keystores that are named by default- serverIdentity.p12 and collectiveTrust.p12. The keystore contains the SSL certificates that are needed to declare its own identity and securely establish a communication with other members and controllers within the collective. For an application to establish an HTTPS inbound connection, each server has two more keystores that are named by default, key.p12 and trust.p12.
Through 19.0.0.2, the following information about the default JKS keystore is applicable. Each server in a collective has two keystores that are named by default- serverIdentity.jks and collectiveTrust.jks. The keystore contains the SSL certificates that are needed to declare its own identity and securely establish a communication with other members and controllers within the collective. For an application to establish an HTTPS inbound connection, each server has two more keystores that are named by default, key.jks and trust.jks.
The Liberty server default keystore type is PKCS12. The JKS keystore type also works. Depending on when the collective keystores were created, they might be JKS keystores that have the .jks file extension or they might be the PKCS12 keystores with the .p12 file extension.
For example, in the diagram that follows, the keystore is rootKey.jks, but it might actually be rootKeys.p12 in the configuration and file system.
You need to construct the Liberty collective. For more information, see Configuring a Liberty collective and Collective security in the product documentation.
To establish secure SSL connection between the collective
controller and collective member, a set of SSL certificates are created by the collective utility.
These distinguished names (DN) of these certificates contain either
OU=controllerRoot
or OU=memberRoot
, depending on whether the usage
of the certificate is at the collective controller side or collective member side. They are added to
respective keystores of controller or member. These certificates ensure that secure SSL connection
is established between the different constituents of a collective.
You can use SSL certificates signed by third-party certificate authority (CA) to achieve the same SSL secure connection between the different Liberty servers of a collective.
- rootkeys.jks
- The keystore is used by a collective. The keystore exists only at the collective controller side
and contains two self-signed, personal certificates with alias names
controllerroot and memberroot. The system uses these
certificates to sign the collective controller personal certificates and collective member personal
certificates in that order. Tip: After you create the controller, you can optionally replace the certificates in the rootkeys.jks keystore with your own certificates that are signed by a certificate authority.
- serverIdentity.jks
- The keystore is used by a collective. Keystore contains personal certificate of the controller on the controller side, and personal certificate of the member on the member side, which is automatically created during collective create operation. By default, the controller personal certificate is signed by controllerroot and member personal certificate is singed by memberroot in rootKeys.jks.
- collectiveTrust.jks
- The keystore is used by a collective. Truststore contains signer certificates that signed the controller and member personal certificate, for example, controllerroot and memberroot.
- key.jks
- The keystore is used by an application. Keystore contains personal certificate of the controller on the controller side, and personal certificate of the member on the member side, which is automatically created during collective create operation. By default, the controller personal certificate is signed by controllerroot and member personal certificate is singed by memberroot.
- trust.jks
- The keystore is used by an application. Truststore contains signer certificates that signed the controller and member personal certificates, for example, controllerroot and memberroot.
The following image displays the controller and member certificates:
About this task
Configure and change a collective setup so that it can use SSL certificates that are signed by third-party certificate authority. Add new configuration to the server.xml file to support personal certificates in the serverIdentity.jks file that are signed by third-party CA to be used for collective communication. This configuration is used to identify your certificates that are used for collective operations when they are not default.
<collectiveCertificate rdn="name=value"></collectiveCertificate>
- name
- Any attribute name in the certificate distinguished name
- value
- rdn attribute value in the distinguished name
DN:
CN=companyName,OU=WebSphere,O=IBM, EMAIL=abcd@xyz.com
, and you want to identify all
certificates with EMAIL=abcd@xyz.com
as collective certificates, you would use the
following
configuration:<collectiveCertificate rdn="EMAIL=abcd@xyz.com"></collectiveCertificate>