Configuring Keystore and Truststore Files

You must create and configure keystore and truststore files in IBM® Sterling Control Center Monitor before any connections can be secured. The IBM Sterling Control Center Monitor engine uses the same keystore and truststore files for all secure listeners and client connections.

Before you begin

  • Consult your system security administrator for any site-specific security requirements.
  • Obtain certificates. The IBM Sterling Control Center Monitor engine needs the private key and certificate for the engine. In addition, the engine needs the CA or self-signed certificates for any certificates the engine is to trust. Take one of the following actions:
    • Generate a CSR to obtain the certificate from a third-party certificate authority (CA).
    • Create a self-signed certificate.
  • When you are creating the certificate for the IBM Sterling Control Center Monitor engine, keep in mind that it is also used for the web server. Consider choosing certificates that do not cause common browser security warnings, such as the certificate common name not matching the address of the website.
  • On the computer where the engine is installed, create the keystore file that contains the private key and public certificate for the engine. This file must be in JKS format.
    Important: The passphrase for the certificate and the keystore must be the same.
  • On the computer where the engine is installed, create the truststore file that contains all CA and self-signed certificates you want the engine to trust. This file must be in JKS format.
  • Keep the following important considerations in mind when you are dealing with the truststore file:
    • If you copy the truststore to the default location in Java, installation directory/jre/lib/security/cacerts, it can be overwritten when you upgrade IBM Sterling Control Center Monitor or Java. Use another location to prevent the truststore from being overwritten.
      Important: The default JKS trust file (cacerts) installed with IBM Sterling Control Center Monitor is to be used only in a non-production environment. During upgrade, maintenance, and re installation this file is over-written (or removed as with uninstallation). If you customize this file and use it as your truststore, all of your updates will be lost. Instead, create a copy of cacerts to store your CA authentication information, and update the directory path.

Procedure

  1. If necessary, stop the engine.
  2. Use one of the following methods to run the configCC utility:
    Microsoft Windows UNIX
    Double-click configCC.bat in installation directory\bin. Run the configCC.sh utility from installation directory/bin.
  3. In the keystore and truststore configuration section of configCC, specify the keystore location and password, and the truststore and password.
  4. Perform any additional steps in configCC.
  5. Restart the IBM Sterling Control Center Monitor engine.