IBM Support

Replacing certificate for communication from metadata interchange agents to IBM InfoSphere metadata asset manager

Product Documentation


Abstract

IBM InfoSphere metadata asset manager (IMAM) is installed with self-signed certificates that are used to encrypt the communication between components running in WebSphere Application Server and Apache Tomcat. You have the option to replace the default certificates with your own certificates to improve the security of this communication. You can either replace them with new self-signed certificates or certificates signed by a certificate authority.

In general, the communication between WebSphere Application Server and Apache Tomcat occurs in two directions, and each direction uses a different certificate. These instructions describe how to change the certificate used for the communication from Apache Tomcat to WebSphere Application Server. In general, the information secured by this certificate is just the metadata coming from Tomcat that is being imported by metadata asset manager.

Content

About this task
The installation of InfoSphere metadata asset manager (IMAM) is distributed across multiple computers. Some components are installed on the services tier and other components are installed on the client tier. The services tier components use WebSphere Application Server and the client tier components use Apache Tomcat. To improve the security of the communication between the components in WebSphere Application Server and Apache Tomcat, IMAM uses SSL certificates to encrypt the communication between components running in WebSphere Application Server and Apache Tomcat.

The communication between components running in WebSphere Application Server and Apache Tomcat occurs in two directions. Each direction uses a separate certificate. This procedure describes how to replace the certificate used for the communication from Apache Tomcat to WebSphere Application Server. The instructions for replacing the certificate used for communication in the other direction are here.


This procedure involves making changes in both WebSphere Application Server and Apache Tomcat. First, go through the changes required in WebSphere Application Server and then go through the changes required in Apache Tomcat.

Step 1: Update WebSphere Application Server


1. Open the WebSphere administrative console (For example, http://ServicesTierHost:9060/ibm/console).

2. Rename the old certificate.
           
a. Go to Security -> SSL Certificate and key management -> Key stores and certificates -> IISKeyStore -> Personal Certificates -> Select “iiscert” -> Export.
 Choose IISKeyStore as the destination and iiscert_old as the alias, so you have a backup copy of the original certificate. You can remove the old certificate once the procedure is completed successfully.
         
b. Go to Security->SSL Certificate and key management -> Key stores and certificates -IISKeyStore -> Personal Certificates, select “iiscert”, then "Delete" to remove the original certificate.
3. Add the new certificate to the WebSphere Application Server. You have two choices for adding the certificate to the WebSphere Application Server. You can either use a certificate authority or create a new self-signed certificate.
Option 1: Use a certificate authority

If you want to use a certificate signed by a certificate authority, you need to follow the steps in this section. Take following steps to generate your certificate request else there can be a problem to import the signed certificate into WebSphere Application Server.

1. Go to Security -> SSL Certificate and key management -> Key stores and certificates-> IISKeyStore -> Personal certificate requests -> New. When prompted, enter the information you want to be in your certificate. The key label must be “iiscert”.

2. Give the generated certificate request to a certificate authority and have them sign it.

3. Take the signed certificate from the certificate authority and import it into WebSphere Application Server. Thus, go to Security -> SSL Certificate and key management -> Key stores and certificates -> IISKeyStore -> Personal Certificates -> Receive from a certificate authority. When it prompts for the certificate information, enter the certificate file name and data type, then select "Apply" and then "Save."

4. Verify that the alias in the certificate that was imported is “iiscert”. If the alias is something different, it needs to be changed. Try to export the newly imported certificate into the IISKeyStore and give the exported certificate the alias “iiscert”. This step creates a copy of the certificate with the correct alias.

Option 2: Create a new self-signed certificate

To create a new self-signed certificate to use for the communication, take the following step:

1. Go to Security->SSL Certificate and key management->Key stores and certificates->IISKeyStore->Personal certificates->Create->Self-signed certificate. When prompted, enter the information for the certificate. The alias must be “iiscert.”

2. Extract a public certificate from the new certificate. Thus, go to Security -> SSL Certificate and key management -> Key stores and certificates -> IISKeyStore -> Personal Certificates -> Select "iiscert" -> Click extract. In the certificate name field, choose the location to save this certificate to (For example, c:\temp\iiscert.cer). Select “Base64-encoded ASCII data” as the data type.

3. Restart WebSphere Application Server.


STEP 2: Update Apache Tomcat on client tier

If you find WebSphere Application Server Liberty Profile on the client tier, then go to step 3

The following procedure describes how to update Apache Tomcat on all of the client tier with a metadata interchange agent installed so that the metadata interchange agent is able to encrypt the information to send to WebSphere Application Server using the new public key. These steps assume that no additional certificates are imported into the IMAM truststore (imamtruststore.p12) since IBM InfoSphere Information Server was installed. If more certificates are added, they need to be added again after this process is complete. This extra step is due to limitations in the keytool command. The old certificate cannot be removed from imamtruststore.p12. The truststore needs to be re-created.

These instructions need to be completed on each computer installed with metadata interchange agent. They also assume that InfoSphere Information Server was installed to the following directory: c:\IBM\InformationServer. If you installed it to a different directory, you need to adjust the directory names for your environment.

1. Copy the iiscert.cer file that was extracted from WebSphere Application Server onto the current computer.

 

2. Open a Windows command shell and set up your environment for modifying the truststore by running the following commands:

  • cd C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf
    SET PATH=C:\IBM\InformationServer\ASBNode\apps\jre\bin;%PATH%

3. Verify that “iiscert” and “dummy” are the only entries in imamtruststore.p12 by running the following command and examining the result.

  • keytool -list -keystore imamtruststore.p12 -storetype pkcs12

    When you run this command, you are prompted for the truststore password. The default password is changeit. Following is the output and you can find two certificate entry and they are iiscert and dummy as shown here.

    Enter keystore password:

    Keystore type: pkcs12
    Keystore provider: IBMJCE

    Your keystore contains 2 entries

    iiscert, mmm dd, yyyy, trustedCertEntry,
    Certificate fingerprint (MD5): B6:D5:A0:C2:64:21:CE:00:25:17:51:E3:81:6C:C2:F2
    dummy, mmm dd, yyyy, keyEntry,
    Certificate fingerprint (MD5): 34:48:D5:F1:A1:F5:77:6A:A8:80:7A:76:79:C3:92:48

    Note: If you followed this procedure before, the "dummy" certificate might not be present. If there are any other entries in the truststore, then they are not available in your new imamtruststore.p12 truststore. If they are need, then you have to export them into your new imamtruststore.p12 file after this process is complete.
4. Rename the existing imamtruststore.p12 file by running the following command: rename imamtruststore.p12 imamtruststore_old.p12
  • This step creates a backup file of the old truststore file. The file imamtruststore_old.p12 can be removed once the procedure is completed successfully.

5. Import the certificate file from WebSphere Application Server into a new truststore file. To create a new truststore, so the password you specify becomes the password for the new truststore. If you use a password other than "changeit", the Tomcat server.xml file needs to be updated (see step 6).
  • keytool -import -noprompt -alias iiscert -storetype pkcs12 -keystore imamtruststore.p12 -storepass NewPassword -file CertificateFile

    For example,

    keytool -import -noprompt -alias iiscert -storetype pkcs12 -keystore imamtruststore.p12 -storepass changeit -file c:\temp\iiscert.cer


6. If you decided to use a truststore password that was different than the previous truststore password (the default password is "changeit"), then you need to update the Tomcat server.xml file with the new password. If you are certain that the password for the imam truststore in the Tomcat server.xml file is still correct, then you can skip this step. The following steps explain this process.
a. Open a new Windows command shell and run the following command to encrypt your new password:
  • c:\IBM\InformationServer\ASBNode\bin\encrypt.bat

    It prompts you to enter the value to encrypt and output the encrypted value.

    For example, imam -> {iisenc}cnILiNhvTEKhQwtEwhZmUQ==

b. Edit the file:
C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf\server.xml

In this file, first you need to locate the Connector XML element used by the metadata interchange agent. Following is the snippet,


<Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="true" sslProtocol="TLS"
        keyAlias="imamagent"
        keystoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web/conf/imamkeystore.p12"
        keystorePass="{iisenc}cNvTqnua8+MHKKem3qkERw=="
        keystoreType="pkcs12"
        truststoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web/conf/imamtruststore.p12"
        truststorePass="{iisenc}cNvTqnua8+MHKKem3qkERw=="
        truststoreType="pkcs12" encrypted="true"/>


Within this connector element, you need to replace the value of the attribute truststorePass with your newly encrypted password. Verify that there are still quotation marks around the password.

For example, following is the updated password for the truststore to {iisenc}cnILiNhvTEKhQwtEwhZmUQ==.

<Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="true" sslProtocol="TLS"
        keyAlias="imamagent"
        keystoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web/conf/imamkeystore.p12"
        keystorePass="{iisenc}cNvTqnua8+MHKKem3qkERw=="
        keystoreType="pkcs12"
        truststoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web/conf/imamtruststore.p12"
        truststorePass="{iisenc}cnILiNhvTEKhQwtEwhZmUQ=="
        truststoreType="pkcs12" encrypted="true"/>
7. Restart the Windows Service named "IBM InfoSphere metadata integration bridges". Thus, goto Control page window panel -> Administrative tools -> Services from the Windows Start menu. Right-click on the service named “IBM InfoSphere metadata integration bridges” and select restart.
STEP 3: Update the metadata interchange server profile on the client computers.
Use the link and take following actions mentioned in procedure 2.

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m500000008hhhAAA","label":"WebSphere Application Server->WebSphere Configuration->SSL and Certificates"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Document Information

Modified date:
23 June 2021

UID

swg27022384

Page Feedback