Viewing and setting keystore and truststore runtime properties at integration server level

Configure an integration server to refer to a keystore, a truststore, or both. You must do this configuration before you deploy any message flows that require SSL connections, policy set or bindings for signature, encryption, or X.509 authentication. You must also do this configuration before you enable services that use SSL connections, such as IBM® Cloud reporting services.

About this task

An integration server is a named grouping of message flows. You can configure integration servers to be associated with an integration node that looks after them, or to run independently of an integration node. For more information about integration servers, see Integration servers and integration nodes.

For integration servers that are managed by an integration node, the integration server keystore and truststore runtime property values override equivalent property values on the integration node, if any are set.

Keystores can contain two kinds of entries: key entries and trusted certificate entries. If a keystore is used to contain trusted certificates, it is typically referred to as a truststore. IBM App Connect Enterprise can refer to a keystore and a truststore per integration server. When the integration node or integration server is encrypting or decrypting, it uses entries in its keystore. If the integration node or integration server is verifying a signature or performing X.509 authentication, it uses entries in its truststore.

Displaying integration server level properties

About this task

Integration servers that are managed by integration nodes:

To display the properties of an integration server that is managed by an integration node, run the command:

mqsireportproperties integrationNodeName -o ComIbmJVMManager -a -e integration_server

Independent integration servers:

To display the properties of an independent integration server, view the <work directory>/server.conf.yaml configuration file.

Updating the integration server reference to a keystore

About this task

Integration servers that are managed by integration nodes:

To update the reference to a keystore for an integration server that is managed by an integration node, use the following command:

mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager 
  -n  keystoreFile -v c:\keystore\server.keystore

where c:\keystore\server.keystore is the fully qualified path to the Java™ keystore (JKS), containing the private certificates that is used by the integration server.

Independent integration servers:

To update the reference to a keystore for an independent integration server, edit the <work directory>/server.conf.yaml configuration file.

ResourceManagers:
  JVM:
    keystoreFile: 'c:\keystore\server.keystore' # JVM location of the key store

where c:\keystore\server.keystore is the fully qualified path to the Java keystore (JKS), containing the private certificates that is used by the integration server.

Updating the integration server reference to a truststore

About this task

Integration servers that are managed by integration nodes:

To update the reference to a truststore for an integration server that is managed by an integration node, use the following command.

mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager 
  -n  truststoreFile -v c:\truststore\server.truststore

The path, c:\truststore\server.truststore is the fully qualified path to the Java truststore. The Java truststore contains the public certificates that are required by the integration server to establish trust with the services that it connects to.

Independent integration servers:

To update the reference to a truststore for an independent integration server, edit the <work directory>/server.conf.yaml configuration file.

ResourceManagers:
  JVM:
    truststoreFile: 'c:\truststore\server.truststore'              # JVM location of the trust store

where c:\truststore\server.truststore is the fully qualified path to the Java truststore. The Java truststore contains the public certificates that are required by the integration server to establish trust with the services that it connects to.

Updating the keystore and truststore passwords

About this task

Integration servers that are managed by integration nodes:

To update the keystore and truststore passwords for an integration server that is managed by an integration node, use the same commands that are used for setting keystore and truststore runtime properties at integration node level.

To update the integration node with the keystore password; see Updating the integration node with the keystore password.
To update the integration node with the truststore password; see Updating the integration node with the truststore password.
To update the integration node with a private key password; see Updating the integration node with a private key password.

To use the default integration node password for the keystore, the keystorePass parameter must be blank, or it must be set to brokerKeystore::password. To use a password other than the default integration node password, use the following commands:

mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager -n keystorePass 
-v integration_server::keystorePass

mqsisetdbparms integrationNodeName -n integration_server::keystorePass -u na -p password

To use the default integration node password for the truststore, the truststorePass parameter must be blank, or it must be set to brokerTruststore::password. To use a password other than the default integration node password, use the following commands:

mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager -n truststorePass 
-v integration_server::truststorePass

mqsisetdbparms integrationNodeName -n integration_server::truststorePass -u na -p password

Independent integration servers:

To update the keystore password for an independent integration server, edit the <work directory>/server.conf.yaml configuration file.

ResourceManagers:
  JVM:
    
    #keystorePass: 'keyStorePassword'                # JVM resource alias containing the key store password

To update the truststore password for an independent integration server, edit the <work directory>/server.conf.yaml configuration file.

ResourceManagers:
  JVM:
    
    #truststorePass: 'TrustStorePassword'                # JVM resource alias containing the trust store password

Adding new certificates to a keystore or truststore

About this task

If you add new certificates to a keystore or truststore, to ensure that the new certificates are picked up, you must reload the Java virtual machine (JVM). You can reload the JVM by restarting the integration server.