Creating the HTTP server key database and certificate

The HTTP server stores its associated certificates in a key database. You must create and populate a key database for the HTTP server to use. In a test environment, you can create a self-signed certificate to demonstrate SSL communication.

In i2 Analyze, SSL connections that involve the HTTP server require a key database that contains a signed certificate. In a production deployment, after you create the key database, you must populate it with a certificate that is signed by a trusted certificate authority. To demonstrate a working configuration, you can create and use a self-signed certificate.

The IBM® Key Management utility uses a GUI or Window Manager. If you do not have a GUI or Window Manager on your system, you can use the command-line interface.
  1. Create a key database.
    For example, run the following command:
    gskcapicmd -keydb -create -db "C:\IBM\i2analyze\i2-http-keystore.kdb" -pw "password" -stash
    • Save a password for the key database to a stash file by using the -stash attribute.
    • Set -db location to the directory that contains the toolkit directory in your deployment.
  2. Create a self-signed certificate.
    For example, run the following command:
    gskcapicmd -cert -create -db "C:\IBM\i2analyze\i2-http-keystore.kdb" -label "httpKey" -dn "CN=hostname" -san_dnsname "hostname" -pw "password" -sigalg sha256 -size 2048
    Important: Set the value of CN and san_dnsname to the fully qualified domain name for host name of the server that hosts the HTTP server. The URL that you use to connect to i2 Analyze must use the same value for the host name as the value of the CN. The password is the one that you saved to the stash file in step 1.
  3. Extract the certificate from the key database.
    For example, run the following command:
    gskcapicmd -cert -extract -db "C:\IBM\i2analyze\i2-http-keystore.kdb" -label "httpKey" -target "C:\IBM\i2analyze\i2-http-certificate.cer" -pw "password"

    Set the location of the certificate to the same directory as the key database.

To enable SSL connections to i2® Analyze, the certificate that you added to, or created in, the key database must be installed to be trusted on each client workstation.