Adding a self-signed certificate to the keystore

You can set up secure communications by using a self-signed certificate with your object storage system. In this situation, IBM Spectrum Protect™ uses HTTPS instead of HTTP when it communicates with the object storage system. The following steps provide a method for importing certificates.

About this task

Use a web browser to get a copy of the certificate used by the object storage system. The following steps are specific to Firefox, but other browsers provide similar functions. Refer to your preferred browser’s instructions on exporting certificates.

Procedure

  1. Get the certificate that is used by OpenStack Swift server or IBM® Cloud Object Storage.
    1. Type the URL for your object storage system in the browser Address bar and press Enter. Use the keystone server URL for OpenStack, or the accesser node URL for IBM Cloud Object Storage.

      Tip: If you are using IBM Cloud Object Storage as your object storage system, log in to IBM Cloud Object Storage and click the Security tab. In the dsNet Fingerprint section, click dsNet certificate authority and copy the certificate information into a certificate file for Part 2.

    2. Accept any warnings displayed by the browser.
    3. Click the lock icon in the browser Address bar.
    4. Select More Information in the pop-up window.
    5. Select View Certificate in the Page Info window.
    6. Click the Details tab in the Certificate Viewer page, and then select Export.
    7. Save the exported file to the location that you want.
  2. Add the certificate to the Java™ default keystore.

    The following steps assume your client nodes are on Linux, and your server is running on Linux. Because each IBM Cloud Object Storage accesser has its own certificate by default, add the certificate for each accesser to the keystore, and use a different alias for each certificate.

    1. Open a terminal and change directory to the jre/bin directory.

      The default installation location is /opt/tivoli/tsm/jre/bin.

    2. Make a backup copy of the Java cacerts file by running the following command: cp ../lib/security/cacerts ../lib/security/cacerts.original.

      On a Windows system, the location of the Java cacerts keystore is: install_dir\jre\lib\security\, and the location of the keytool is install_dir\jre\bin\.

    3. Import the saved certificate from the previous procedure by running the following command: ./keytool -import -keystore ../lib/security/cacerts -alias somealias -file yourfile

      where somealias is a unique alias for this certificate in the keystore, which is important if you have more than one certificate, and yourfile is the path and file name of the certificate from the first step of these instructions.

    4. When you are asked for the password, type changeit. If you changed your password from the default password, type your current password.
    5. When you are asked to trust this certificate, type yes.

      The following message is shown when the certificate is added successfully: Certificate was added to keystore. The default certificates have a short expiration. When they expire, you might lose access to the object storage until you update the certificates. You can create your own certificates and use them, but creating and installing these certificates on object storage systems is outside the scope of this document.

    6. Restart the IBM Spectrum Protect server.