Converting default certificates
Procedure to extract and convert default certificates generated in your current version prior to upgrading.
If you are using default certificates, extract and convert them before you start the upgrade. Perform the following steps:
- Set the IBM® Workload Scheduler environment, as described in Setting the environment variables.
-
To ensure the keytool and openssl
commands start correctly on all operating systems, browse to the folder where
the keytool and openssl commands are
located and launch the commands as follows:
cd <TWS_DIR>/JavaExt/jre/jre/bin./keytool -importkeystore -srckeystore TWSServerKeyFile.jks -destkeystore <path_of_extracted_certs>/server.p12 -deststoretype pkcs12cd <TWS_DIR>/tmpOpenSSL64/1.1/bin/openssl
The location of the TWSServerKeyFile.jks varies depending on the IBM Workload Scheduler version you have currently installed, as follows:./openssl pkcs12 -in <path_of_extracted_certs>/server.p12 -out <path_of_extracted_certs>/tls.tot- versions 9.5 and later
- TWA_DATA_DIR/usr/servers/engineServer/resources/security
- versions 9.4 and earlier
- TWA_home/WAS/TWSProfile/etc
- Open the tls.tot file with any text editor.
-
From the tls.tot file, copy the private key to a new file
named tls.key.
The tls.key file must be structured as follows:
----BEGIN ENCRYPTED PRIVATE KEY---- <private_key> ----END ENCRYPTED PRIVATE KEY----Note: Insert a carriage return after each key, so that an empty line is inserted after each key. -
From the tls.tot file, copy the public key to a new file
named tls.crt.
The tls.crt file must be structured as follows:
----BEGIN CERTIFICATE---- <public_key> ----END CERTIFICATE----Note: Insert a carriage return after each key, so that an empty line is inserted after each key. - Copy the contents of the tls.crt file into a new file named ca.crt. If you want to upgrade a dynamic domain manager, also copy the contents of the tls.crt file into another new file named jwt.crt.
-
Create a file named tls.sth containing the passphrase you
have specified for creating the .p12 certificate in step
2,
encoded in base64 format. To create the
tls.sth file, use the following command:
./secure -password your_password -base64 e -out <path_of_extracted_certs>/tls.sthIf you are using a version earlier than 10.x, you can find the secure script in the installation package of the 10.2.2 version you are upgrading to. You can launch the script from on of the following paths:- master domain manager and agent
-
<10.2.2_extracted_image_dir>/TWS/<interp>/Tivoli_LWA_<interp>/TWS/bin - Dynamic Workload Console
-
<10.2.2_extracted_image_dir>/DWC/<interp>/bin
- <interp>
- is the operating system you are installing on
As an alternative, you can use the following command on UNIX workstations:echo -n "passwordToEncode" | base64 >> tls.sth -
Browse to the GSKit folder and extract the client certificates from the TWA_DATA_DIR/ssl/GSKit folder by running the following commands,
depending on the IBM Workload Scheduler version you have
currently installed:
cd <TWS_DIR>/tmpGSKit64/8/bin- versions 9.5 and later
-
./gsk8capicmd_64 -cert -extract -db <TWA_DATA_DIR>/ssl/GSKit/TWSClientKeyStore.kdb -stashed -label client -target <path_of_extracted_certs>/client.crt - versions 9.4 and earlier
-
./gsk8capicmd_64 -cert -extract -db <TWS_DIR>/ssl/GSKit/TWSClientKeyStore.kdb -stashed -label client -target <path_of_extracted_certs>/client.crt
- Create a folder named additionalCAs in the folder where you extracted the certificates and move the client.crt file created in step 8 to the additionalCAs folder.
- Insert the client.crt in the additionalCAs folder when providing the certificates to the installation script with the sslkeysfolder parameter.
-
Assign the correct permissions (755) and ownerships to extracted certificates,
as follows:
chmod -R 755 <path_of_extracted_certs>