Keystores, truststores, and certificates for i2 Analyze

TLS communication relies on encryption, keys, and certificates to initiate a secure connection. The certificates are stored in keystore files on the client and the servers.

Certificates are exchanged to establish trust during the handshake process that initiates a secure connection. When a certificate is granted through a certificate authority, that certificate can be trusted by the clients or applications that trust certificates that are signed by that authority. A public key certificate that authenticates a server is stored in a keystore file on the server. Trusted certificate authority certificates are stored in the client's truststore file.

The environment where you are deploying i2 Analyze might already have a well-defined certificate process that you can use to obtain certificates and populate the required key and truststores.

The following diagram shows where the keystores and truststores are used in the components of i2 Analyze and the connections between them.


Block diagram of keystore and truststore files used in the components of i2 Analyze.

The environment in which you are deploying i2 Analyze might already contain files that are candidates for use as keystores or truststores. If not, you must create the required files.
The files that are required are summarized by component, in the following list. In the list, all certificates are described as being signed by the same certificate authority (CA).

Open Liberty

Each Liberty server requires:

  • Keystore contents:

    • Liberty server private key

    • The personal certificate issued for the Liberty server by the certificate authority

  • Truststore contents:

    • The CA certificate for the signing certificate authority

Solr

Each Solr server requires:

  • Keystore contents:

    • Solr server private key

    • The personal certificate issued for the Solr server by the certificate authority

  • Truststore contents:

    • The CA certificate for the signing certificate authority

ZooKeeper

Each ZooKeeper server requires :

  • Keystore contents:

    • ZooKeeper server private key

    • The personal certificate issues for the ZooKeeper server by the certificate authority

  • Truststore contents:

    • The CA certificate for the signing authority

Database management system

The type of keystore depends on the type of database management system. For more information about TLS in your database management system, see Configuring TLS for a Db2 instance or Configuring TLS for Microsoft SQL Server.

  • Keystore contents:

    • The personal certificate issues for the database management system by the certificate authority