IBM Support

Replacing certificate for communication from IBM InfoSphere metadata asset manager to metadata interchange agents

Product Documentation


Abstract

InfoSphere metadata asset manager is installed with self-signed certificates that are used to encrypt the communication between components running in WebSphere Application Server and Apache Tomcat. You can replace the default certificates with your own certificates to improve the security of this communication. You can either replace them with new self-signed certificates or with certificates signed by a certificate authority.

The communication between WebSphere Application Server and Apache Tomcat occurs in two directions, and each direction uses a different certificate. These instructions describe how to change the certificate used for the communication from WebSphere Application Server to Apache Tomcat. Among other things, the information secured by this certificate includes the information that you enter in the InfoSphere metadata asset manager user interface describing how to access the data to import. This data might potentially include database usernames and passwords and other sensitive information.

Content

About this task
In general, the communication between WebSphere Application Server and Apache Tomcat occurs in two directions, and each direction can use a different certificate. These instructions describe how to change the certificate used for the communication from WebSphere Application Server to Apache Tomcat. If you want to change the certificate for the communication in the other direction, see the document.

If you want WebSphere Application Server and Apache Tomcat use the same certificate for communication in both directions, follow the instructions for updating the communication from Tomcat to WebSphere first. If you complete all the instructions, then come back to this document.

Step 1: Create a new InfoSphere metadata asset manager keystore

If the metadata interchange agent is running on IBM WebSphere Application Liberty profile, Go to step 3.

The digital certificate that is used by the metadata interchange agent running in Tomcat to decrypt the data coming in from InfoSphere metadata asset manager is stored in a file called imamkeystore.p12. If you want to update the certificate used in the communication, a new imamkeystore.p12 file needs to be created. These steps explain how to do that.

You can create a new imamkeystore.p12 and can set a new password for the keystore. If this password is set to something other than changeit, the server.xml in all of the Apache Tomcat instances need to be updated to use this new password.

These instructions assume that InfoSphere Information Server was installed to C:\IBM\InformationServer on the client tier. If you installed it in a different directory, you need to adjust the directory names for your environment.

There are three options for creating the imamkeystore.p12 file, depending on the type of new certificate you that want to use.

Option 1: Use a certificate authority

If you want to use a certificate signed by a certificate authority, you need to follow the steps in this section. Take following steps to generate your certificate request else there can be a problem to import the signed certificate into your keystore.

1. Open a Windows command shell on any client tier and run the following command:

SET PATH=C:\IBM\InformationServer\ASBNode\apps\jre\bin;%PATH%

2. Generate the keystore and the certificate to be signed and enter the information you want to be in the certificate when prompted.

keytool -genkey -alias imamagent -keystore imamkeystore.p12 -storetype pkcs12 
3. Generate the certificate request to give to the certificate authority,
keytool -certreq -alias imamagent -file imamagent.csr -storetype pkcs12 -keystore imamkeystore.p12
4. Provide the generated imamagent.csr to the certificate authority. When you receive the signed certificate from certificate authority, then proceed to the next step.

5. Process the reply from the certificate authority,
keytool -importcert -alias imamagent -file SignedCertificateFromCa -keystore imamkeystore.p12 -storetype pkcs12
For example, keytool -importcert -alias imamagent -file imamagent.cer -keystore imamkeystore.p12 -storetype pkcs12
If the certificate authority you are using is not known to keytool, then the command can fail with the following error,
  
keytool error: java.lang.Exception: Failed to establish chain from reply

If so, you need to import the public certificate from the certificate authority. You need to contact the certificate authority to obtain the certificate. Many have them posted on their websites. Once you have their public certificate, you need to import it as follows,

keytool -importcert -alias ca -file CACertificate -keystore imamkeystore.p12 -storetype pkcs12

After the command completes, try processing the reply again. When these steps are completed, a new imamkeystore.p12 file is available in the directory that your Windows command shell is in. This keystore file contains your signed certificate.

Option 2: Generate a new self-signed certificate

1. Run the following commands in a Windows command shell on any client tier,

SET PATH=C:\IBM\InformationServer\ASBNode\apps\jre\bin;%PATH%

keytool -genkeypair -alias imamagent [-keyalg keyalg] [-keysize keysize] [-sigalg sigalg] -storetype pkcs12 -keystore imamkeystore.p12 [-validity validity]
For example, keytool -genkeypair -alias imamagent -keyalg RSA -keysize 2048 -storetype pkcs12 -keystore imamkeystore.p12 -validity 730

For keytool command, the values in the brackets are optional. Refer to the WebSphere Application Server documentation for a complete list of compatible values that can be specified for the keytool command.

2. Enter the information you want to be in the certificate when prompted. Thus, a new file called imamkeystore.p12 is created in the directory your Windows command shell is in.

Option 3: Use the certificate in the keystore in WebSphere Application Server

If you want WebSphere Application Server and Apache Tomcat to use the same certificate for communication in both the directions, then use this option. These steps assume that the IISKeyStore keystore in WebSphere Application Server is already updated with the certificate you want to be used for the communication in both directions. If WebSphere is not updated, then first follow the steps mentioned here and then proceed with the following steps.

1. Open the WebSphere administrative console.

2. Go to, Security -> SSL certificate and key management -> Key stores and certificates -IISKeyStore -> Personal certificates

3. Check the box next to "iiscert", then select export. The default password for the IISKeyStore is changeit. Enter the default password for the keystore password, unless the password is changed. Enter imamagent as the keystore alias. Select the option to export to a keystore file. Name the file imamkeystore.p12. Select "PKCS12" as the type. Enter a new password for the key file. The exported file is used as the imamkeystore file on the client tier running Apache Tomcat.
Step 2: Update Apache Tomcat on client tier
This procedure describes how to update Apache Tomcat on all of the client machines with a metadata interchange agent installed.

These instructions assume that Information Server is installed at C:\IBM\InformationServer on the client tier. If you installed it in a different directory, then you need to adjust the directory names for your environment.

This procedure assumes that no modification is done to the existing imamkeystore.p12 file, since installing InfoSphere Information Server. If extra keys are added to the file, then are to be added to the file again after this process is complete.

2.1. Open a Windows command shell and set up your environment for modifying the keystore by running the following commands,

cd C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf
SET PATH=C:\IBM\InformationServer\ASBNode\apps\jre\bin;%PATH%

2.2. Verify that the certificate “imamagent” is the only one present in imamkeystore.p12 and the default password for imamkeystore.p12 is changeit. Run the following command,
keytool -list -keystore imamkeystore.p12 -storetype pkcs12

Following is the output and verify that there is only one entry named imamagent,

Keystore type: pkcs12

Keystore provider: IBMJCE
Your keystore contains 1 entry
imamagent, mmm dd, yyyy, keyEntry,
Certificate fingerprint (MD5): B6:A9:89:AE:21:08:B1:A3:7A:6D:8B:8E:BF:B8:BC:86

If this procedure is completed before, there can also be a "ca" entry such as
ca, mmm dd, yyyy, trustedCertEntry,
Certificate fingerprint (MD5): 10:67:7B:69:1E:D5:00:85:68:B9:9C:E8:6F:CE:9F:45

The additional certificate entries can be ignored. If there are any other entries, then they are not available in your new imamkeystore.p12 keystore. If needed, you can export them into your new imamkeystore.p12 file.

2.3. Rename imamkeystore.p12 to a temporary file. This temporary file serves as a backup and can be deleted once you are sure that this procedure was successful.
Run, rename imamkeystore.p12 imamkeystore_old.p12

2.4. Copy the imamkeystore.p12 file you created previously into the following directory,
C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf

2.5. For imamkeystore.p12 file, if you use a different keystore password and the default password is changeit, then you need to update the tomcat server.xml with the new password. The following are the steps,
2.5.1. Open a Windows command shell and run the following command to encrypt the new keystore password,

C:\IBM\InformationServer\ASBNode\bin\encrypt.bat
For example, imam -> {iisenc}cnILiNhvTEKhQwtEwhZmUQ==
2.5.2. Edit the following file:
C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf\server.xml
2.5.3. Locate the connector for the metadata interchange agent in the server.xml file. The default is,
​​​​​​For example,
<Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keyAlias="imamagent"
keystoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf\imamkeystore.p12"
keystorePass="{iisenc}cNvTqnua8+MHKKem3qkERw=="
keystoreType="pkcs12"
truststoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf\imamtruststore.p12"
truststorePass="{iisenc}cNvTqnua8+MHKKem3qkERw=="
truststoreType="pkcs12" 
encrypted="true"/>
2.5.4. Replace the value of the attribute keystorePass in the Connector with your newly encrypted password for imamkeystore.p12. Verify that there are still quotation marks around the password.
For example,
<Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS" 
keyAlias="imamagent" keystoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf\imamkeystore.p12" 
keystorePass="iisenc}cnILiNhvTEKhQwtEwhZmUQ==" 
keystoreType="pkcs12" 
truststoreFile="C:\IBM\InformationServer\Clients\MetaBrokersAndBridges\web\conf\imamtruststore.p12" 
truststorePass="iisenc}cNvTqnua8+MHKKem3qkERw==" 
truststoreType="pkcs12" 
encrypted="true"/>
The keystore password is changed to {iisenc}cnILiNhvTEKhQwtEwhZmUQ==.

2.6. Restart the IBM InfoSphere metadata integration bridges Windows service by going to Control
Page Window Pane -> Administrative Tools-> Services from the Windows Start menu. Right-click on the service named “IBM InfoSphere metadata integration bridges” and select restart.
Now, go to step 4.
Step 3: Create a new InfoSphere metadata asset manager keystore on IBM WebSphere Application Liberty profile

Use the link and take following actions mentioned in procedure 1 and 2.
Step 4: Update WebSphere Application Server

Import the new certificate into WebSphere. Following are the steps,

4.1. Go to the WebSphere administrative console, http://ServicesTierHost:9060/ibm/console

4.2. Select Security -> SSL certificate and key management -> Key stores and certificates -> IISTrustStore-> Signer certificates

4.3. Make a backup copy of the existing certificate. Try to, select the “imamagent” certificate, then choose Extract. Select a location on the file system where you want the backup to be (For example, C:\temp\imamagent_old.cer), then select OK.
4.4. Select the “imamagent” certificate -> Delete -> Save.
4.5. Select “Retrieve from Port”. Enter the hostname and port number of any metadata interchange agent (19443 is the default port number). Choose “IISSSLConfiguration” as the outbound connection and enter “imamagent” as the alias. Click “Retrieve signer information”, Apply, and then save.
4.6. Restart WebSphere Application Server.

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m500000008hhhAAA","label":"WebSphere Application Server->WebSphere Configuration->SSL and Certificates"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Document Information

Modified date:
24 June 2021

UID

swg27022492

Page Feedback