Configuring the client authentication

Edit online

You must export the certificate of the web application server that hosts IBM® Content Navigator and import it into the SSL truststore of the Collector Server instance.

Procedure

  1. Export the certificate of the web application server.
    If IBM Content Navigator is installed on IBM WebSphere® Application Server, use the following steps as guidance. If IBM Content Navigator is installed on another web application server or if you use custom security settings in WebSphere Application Server, refer to your web application server documentation for more information
    1. In the WebSphere Application Server administration console, click Security > SSL certificate and key management.
    2. Under Related items, click Keystores and certificates.
    3. Select the keystore that contains the certificate.
      The default name of this keystore is NodeDefaultTrustStore. For WebSphere Application Server Network Deployment, the default name is CellDefaultTrustStore.
    4. Under Additional properties, click Signer certificates.
    5. Select the check box next to the appropriate certificate and then click Extract.
    6. Specify a file name with the extension .DER and select the Binary DER Data as data type.
      For example, type:
      root.der
    7. Click OK to extract the certificate. Make a note of fully qualified path that the file is extracted to.
      The path might look as follows:
      /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/etc/root.der
  2. Copy the certificate file of the web application server to the system where Collector Server is installed.
  3. Import the certificate of the web application server into the SSL truststore by using the Java™ Keytool or IKEYMAN.
    The SSL truststore is created during the import.

    To use IKEYMAN, start the ikeyman program. To use the Java Keytool, take these steps:

    1. Open a command line on the system where the server instance runs.
    2. Enter the following command on one line: 
      keytool -importcert
 -file certificate_file
 -alias name
 -keystore ssl_truststore_file
      certificate_file
      Specify the fully qualified file name of the certificate of the web application server.
      name
      Specify a name of your choice for the certificate. The name must be unique in the truststore that is to contain the certificate.
      ssl_truststore_file
      Specify a fully qualified file name for the SSL truststore.
      Tip: Because an SSL truststore must not be shared by several instances of Collector Server, it is good practice to create the truststore in the instance directory. For example, specify:
      • LinuxUNIX /home/iccsapadmin/instance1/security/https/truststore.jks
      • Windows C:\Users\iccsapadmin\AppData\Roaming\IBM\iccsap\instance1\security\https\truststore.jks
    Example: 
    keytool -importcert
 -file /home/iccsapadmin/root.der 
 -alias was1
 -keystore /home/iccsapadmin/instance1/security/https/truststore.jks