Setting up collectives with third-party certificates

Each server in a collective has two keystores that are named by default- serverIdentity.p12 and collectiveTrust.p12. The keystore contains the SSL certificates that are needed to declare its own identity and securely establish a communication with other members and controllers within the collective. For an application to establish an HTTPS inbound connection, each server has two more keystores that are named by default, key.p12 and trust.p12.

Through 19.0.0.2, the following information about the default JKS keystore is applicable. Each server in a collective has two keystores that are named by default- serverIdentity.jks and collectiveTrust.jks. The keystore contains the SSL certificates that are needed to declare its own identity and securely establish a communication with other members and controllers within the collective. For an application to establish an HTTPS inbound connection, each server has two more keystores that are named by default, key.jks and trust.jks.

The Liberty server default keystore type is PKCS12. The JKS keystore type also works. Depending on when the collective keystores were created, they might be JKS keystores that have the .jks file extension or they might be the PKCS12 keystores with the .p12 file extension.

For example, in the diagram that follows, the keystore is rootKey.jks, but it might actually be rootKeys.p12 in the configuration and file system.

You need to construct the Liberty collective. For more information, see Configuring a Liberty collective and Collective security in the product documentation.

To establish secure SSL connection between the collective controller and collective member, a set of SSL certificates are created by the collective utility. These distinguished names (DN) of these certificates contain either OU=controllerRoot or OU=memberRoot, depending on whether the usage of the certificate is at the collective controller side or collective member side. They are added to respective keystores of controller or member. These certificates ensure that secure SSL connection is established between the different constituents of a collective.

You can use SSL certificates signed by third-party certificate authority (CA) to achieve the same SSL secure connection between the different Liberty servers of a collective.

rootkeys.jks

The keystore is used by a collective. The keystore exists only at the collective controller side and contains two self-signed, personal certificates with alias names controllerroot and memberroot. The system uses these certificates to sign the collective controller personal certificates and collective member personal certificates in that order.

Tip: After you create the controller, you can optionally replace the certificates in the rootkeys.jks keystore with your own certificates that are signed by a certificate authority.

serverIdentity.jks

The keystore is used by a collective. Keystore contains personal certificate of the controller on the controller side, and personal certificate of the member on the member side, which is automatically created during collective create operation. By default, the controller personal certificate is signed by controllerroot and member personal certificate is singed by memberroot in rootKeys.jks.

collectiveTrust.jks

The keystore is used by a collective. Truststore contains signer certificates that signed the controller and member personal certificate, for example, controllerroot and memberroot.

key.jks

The keystore is used by an application. Keystore contains personal certificate of the controller on the controller side, and personal certificate of the member on the member side, which is automatically created during collective create operation. By default, the controller personal certificate is signed by controllerroot and member personal certificate is singed by memberroot.

trust.jks

The keystore is used by an application. Truststore contains signer certificates that signed the controller and member personal certificates, for example, controllerroot and memberroot.

The following image displays the controller and member certificates: