Securing communications

This topic describes the default secure communications configuration for IBM Support Assistant and how to change the configuration.

Default configuration information

IBM Support Assistant ships with a default configuration which provides for secure communication between the browser client and the server. This configuration will automatically generate a self-signed SSL certificate for the server upon first launch. The generated certificate has a validity period of one year and will need to be regenerated or replaced after the default period expires.

Generating a new SSL certificate

You may want to generate a new certificate if the default certificate has expired or simply to create one with a password that you specify. You can use the securityUtility command to create a default SSL certificate for use by the IBM Support Assistant supplied server.

Procedure

  1. Open a command prompt, then change directory to the <isa_install>/wlp/usr/servers/isa/resources/security directory.
  2. Delete or rename any existing key.jks and ltpa.keys files.
  3. Change directory to the <isa_install>/wlp/bin directory.
  4. Run the following command. If you do not specify a password, the command will not run. 
    securityUtility createSSLCertificate --server=isa --password=your_password

Results

You have created a default keystore key.jks for the isa server. The keystore file is located under the <isa_install>/wlp/usr/servers/isa/resources/security directory. The securityUtility command will print out a message to the console containing the new value you will need to add to the <isa_install>/wlp/usr/servers/isa/server.xml configuration file.

What to do next

You can configure the isa server to use the new keystore.

  1. Open a command prompt, then change directory to the <isa_install>/wlp/usr/servers/isa directory.
  2. Open the server.xml file with a text editor.
  3. Locate the <keyStore ...> element 
    <keyStore id="defaultKeyStore" password="{xor}Fgweah06Kz5s"
  4. Replace the value for the password attribute with the value reported by the securityUtility command. Optionally, you can enter the plain text password value that you provided to the securityUtility command; however, it is recommended that you use the encrypted version returned by the command.