Creating a keystore and a truststore
You can configure Transport Layer Security (TLS) by modifying or replacing the keystore and truststore, and choosing the certificate alias for your IBM® WebSphere® eXtreme Scale Liberty Deployment (XSLD) cache member group.
Before you begin
- You must be logged in with a user assigned the administrator role to perform these steps.
- Configure the TLS configuration before loading data into the data grid. When you configure TLS, the XSLD cache member group will restart. If any data is loaded when this restart occurs, it is may be discarded. Therefore, configuring the TLS configuration before loading data into the data grid ensures that data is not discarded when each member of the XSLD cache member group is restarted.
- All members of the XSLD cache member group must be updated separately.
About this task
The XSLD cache member group comes configured with a default keystore and truststore. The default truststore includes the signer certificate from the default keystore. Because this certificate is included in every XSLD install, it should be replaced for the TLS configuration to be secure. There are multiple ways and tools to help set up keystore and truststore files, and depending on the tools that are provided with your certificate authority, the specific steps can vary. In this task, you use the keytool in Java™ 8, along with the certificate issuance capabilities of the local certificate authority (CA).
Using chain certificates is suggested because the root CA signs the certificate, which means that you do not have to manually add the signer certificate to the truststore. In your environment, you likely have a root CA and several intermediate CAs. Certificates that are issued by intermediate CAs are typically chained certificates, where the chain points back to the root CA for signing. In this case, you add the certificate of the root CA to the XSLD cache member group truststore. If the certificate that you want to use in the XSLD cache member group keystore is not a chained certificate, then you must take this additional step. For example, the issuer of the certificate that is stored in the XSLD cache member group keystore might be an intermediate CA. In this case, you must add the signer certificate for that intermediate CA to the XSLD cache member group truststore.
You must import the certificates that you add to the XSLD cache member group truststore into the truststore files of any clients of the XSLD cache member group. For example, if a WebSphere Application Server instance acts as a client, then you must add the certificate of the root CA to the WebSphere Application Server truststore, and if you use a non-chained certificate, the signer certificate for the non-chained certificate must be added as well.