SSL keystores for i2 Analyze

To use SSL to secure a connection between components, i2 Analyze requires Java KeyStore (JKS) or Certificate Management System (CMS) key database files depending on the components. The keystore contains the certificate that acts as the identity of the server and the truststore contains a list of certificates that are trusted by a server.

A JKS file is a repository of security certificates that is used in SSL encryption. In WebSphere® Liberty and Solr, a file with extension .jks serves as a keystore.

IBM Global Security Kit (GSKit) is a common component that is used by IBM HTTP Server and Db2 for its cryptographic and SSL capabilities. CMS is the native GSKit key database (keystore) that contains certificates. GSKit stores public and private keys and certificates in a key database. A key database consists of a file with a .kdb extension and up to three other files with .sth, .rdb, and .crl extensions. You must save the key database password to a stash file on your computer.

The following diagram shows where these files are used in the components of i2 Analyze and the connections between them.

Block diagram of keystore and truststore files used in the components of i2 Analyze.

The environment in which you are deploying i2 Analyze might already contain files that are candidates for use as keystores or truststores. If not, you must create the required files. The files that are required in the sample scenario that is described in the instructions are summarized by component, in the following list.

IBM HTTP Server

To enable SSL connections, the HTTP server requires a CMS key database (*.kdb). The password for this key database must be saved to a stash file. A certificate in the key database identifies the HTTP server and is used when clients connect to i2 Analyze so that they can authenticate the HTTP server. This key database is also used as a truststore to authenticate the certificate that it receives from Liberty.

The i2 Analyze client's truststore, usually located in the operating system or web browser, is used to authenticate the certificate that it receives from the HTTP server.

WebSphere Application Server Liberty

The Liberty server requires a keystore file (*.jks) and a truststore file (*.jks).

A certificate in the keystore identifies the Liberty server and is used to connect to the HTTP server. The HTTP server key database authenticates this certificate that it receives from Liberty.

The certificate in the Liberty truststore is used to authenticate certificates that are received from the database management system keystore and the Solr keystore.

Solr

Each Solr server requires a keystore file (*.jks) and a truststore file (*.jks). Solr requires that all Solr certificates are available in the Solr truststores and the Liberty truststore, so that individual nodes can trust one another, and Liberty can trust the Solr nodes. When you enable ZooKeeper to use SSL, the Solr certificate must also be trusted by the ZooKeeper truststore.

The certificate in the Solr keystore identifies the Solr server and is used to connect to Liberty, and ZooKeeper if it is configured for SSL.

The certificate in the Solr keystore also identifies each Solr node and is used to authenticate secure connection within Solr itself, using the Solr truststore. The certificate in the Solr truststore is used to authenticate the certificate that it received from the Solr keystore.

ZooKeeper

Each ZooKeeper server requires a keystore file (*.jks) and a truststore file (*.jks). ZooKeeper requires that all ZooKeeper certificates are available in the ZooKeeper truststores and the Liberty truststore. This enables the individual servers to trust one another, and Liberty can trust the ZooKeeper servers. Additionally, the Solr certificate must be in the ZooKeeper truststore so that ZooKeeper can trust Solr.

The certificate in the ZooKeeper keystore identifies the ZooKeeper server and is used to connect to Liberty.

The certificate in the ZooKeeper keystore also identifies each ZooKeeper server and is used to authenticate secure connections between the servers in the ZooKeeper quorum, by using the ZooKeeper truststore. The certificate in the ZooKeeper truststore is used to authenticate the certificate that is received from the ZooKeeper keystore.

Database management system

To enable SSL connections, the database management system requires a keystore to connect to Liberty. The type of keystore depends on the type of database management system. For more information about SSL in your database management system, see Configuring SSL for a Db2 instance or Configuring SSL for Microsoft SQL Server.

The certificate in the database management system keystore identifies the database management system server and is used to connect to Liberty.

In the following procedures, example commands are provided for creating the keystores, certificates, and truststores to use with each component of i2 Analyze. The instructions contain details that are based on a single-server deployment example.