Installing a security certificate

Secure communications between the Apache Tomcat application server that hosts the HP adapter and the client that communicates with the adapter by replacing the provided ibm-team certificate with a certificate that belongs to your company. Use the keytool program to create your own self-signed certificate.

About this task

In the HPInstallDir/server/tomcat/conf/server.xml file Apache Tomcat is configured to read the server certificate ibm-team from the HPInstallDir/server/tomcat/ibm-team-ssl.keystore file. The default keystore password is set to ibm-team. The ibm-team certificate identifies the server as localhost.

To improve security, you delete the ibm_team certificate and generate a new certificate. When you generate the new certificate you set values that are based on your company information. These values include the fully qualified domain name of the Tomcat server that you are deploying the HP adapter to.

The IBM® JRE that is included with the adapter includes an IBM tool that is useful for managing keystores and certificates on the server. The keytool program is in the HPInstallDir/server/jre/bin/ directory. You use the keytool program to replace the provided certificate on the Apache Tomcat application server.

For more information about the keytool program, see http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html.

Procedure

  1. Go to the directory where the keystore file is located.
    HPInstallDir/server/tomcat/

    Run the keytool commands from the HPInstallDir/server/tomcat/ directory.

  2. List the certificates in the keystore.
    PathToKeytool/keytool -list -v -keystore ibm-team-ssl.keystore -storepass ibm-team

    This command helps you check the information within a certificate or Java keystore. You can use this information when you diagnose security certificate errors.

  3. Delete the ibm-team certificate.
    PathToKeytool/keytool -delete -alias ibm-team -keystore ibm-team-ssl.keystore -storepass ibm-team
  4. Generate a new certificate in the keystore.
    1. Run this command
      PathToKeytool/keytool -genkey -keyalg RSA -alias ibm-team -keystore ibm-team-ssl.keystore -storepass ibm-team -validity 360 -keysize 2048
      As the certificate generation process runs, you are prompted to enter information.
    2. The keytool program prompts you for your first and last name. You must enter the fully qualified domain name of the Tomcat server that you are deploying the HP adapter to.
      Warning: The name of the server must match the name that you enter for the certificate, otherwise a security certificate error results when you start the server.
    3. Use your company information to complete the remaining prompts. For the key password prompt, press RETURN to use the same password as the keystore password.

      These values are for information purposes only.

      After you complete the prompts, the ibm-team-ssl.keystore file is changed so that it contains a self-signed certificate that is based on your company information.
  5. If Apache Tomcat was running when you made the previous changes, restart the server, see Starting Apache Tomcat.

What to do next

Set up and deploy the HP adapter web application from Apache Tomcat, see Starting Apache Tomcat.

Feedback