Configuring the key databases

To enable the i2 Analyze server to trust the client certificates, you must ensure that the signer of your client certificates is trusted within the i2 Analyze key database. You must also create a copy of the keystore as a truststore that Open Liberty uses.

About this task

If you are using client certificates that are signed by a certificate authority, ensure that the certificate authority that signed the certificates is trusted within the i2 Analyze key database.

You can list the certificate authorities that are trusted within a key database in the IBM Key Management utility. For more information, see Listing certificate authorities.

After you add the certificate to the key database, create a truststore that Open Liberty uses. The truststore is a copy of the i2 Analyze key database.

Procedure

  1. Start the IBM Key Management utility.
    Note: The IBM® Key Management utility uses a GUI or Window Manager. If you do not have a GUI or Window Manager on your system, you can use the command line interface to complete the same actions. For more information about the command line interface, see Key Management utility command-line interface (gskcmd) syntax.
  2. Open the key database that is used for Secure Sockets Layer (SSL) connections. If you followed the instructions to set up the SSL example, the key database file is i2\i2analyze\i2-http-keystore.kdb.
    For more information about opening a key database, see Working with key databases.
  3. Add the certificates to the key database, to ensure that the certificates received from the client are trusted.
    1. In the IBM Key Management utility, with the i2 Analyze key database open, select Signer Certificates from the list in the Key database content pane.
    2. Click Add.
    3. Click Browse, and locate your certificate.
    Note: When you are using a self-signed client certificate, add the self-signed client certificate as a signer certificate. For example, Jenny.der.
  4. The Liberty truststore must contain the certificates to ensure that the certificates received from the client are trusted.
    1. Run the following command to import the required certificate into the truststore. If the truststore does not exist, it is created.:
      keytool -importcert -alias "signerKey" -keystore "C:\i2\i2analyze\i2-liberty-truststore.jks" -file "C:\i2\i2analyze\signer-certificate.der" -storepass "password"
      Note: When you are using a self-signed client certificate, add the self-signed client certificate as a signer certificate. For example, Jenny.der.

Results

The key database contains the signer certificates so that the client certificates can be trusted. The truststore is populated so that Liberty can use it to trust the client certificates.