Configuring TLS connection to iBase

Details about the certificates you need to provide for securing the i2 Explore service, and installing the generated certificate.

To configure the TLS connection between the i2 Explore service and the web browser, you will need to provide the CA trust certificate for certificates that are received from the Liberty application server.

You must also obtain a signed certificate for the server where you are deploying i2 Explore for iBase. You will be prompted to provide the certificate and the private key during the installation process. These can also be provided at a later time by copying the certificates to the locations outlined below.

These certificates may be supplied at a later point, after the installer has completed. The i2 Explore for iBase services may be started without them, in which case certificates will be generated for you. The generated certificates should not be used in production, and may be replaced with your own certificates by providing them in the locations outlined below and running the deploy process.

• CA trust certificate for certificates that are received from the i2 Explore server: This is the certificate that is used to verify the identity of the i2 Explore server.

  • This certificate will be placed into the following location and renamed to CA.cer:

    • <installation_location>explore-for-ibase/analyze-deployment-tooling/environment-secrets/provided-secrets/certificate/externalCA/CA.cer

• Signed certificate for i2 Explore host machine: This is the certificate that is used to secure the connection to the i2 Explore service.

  • This certificate will be placed into the following location and renamed to server.cer:

    • <installation_location>explore-for-ibase/analyze-deployment-tooling/environment-secrets/provided-secrets/certificates/<I2ANALYZE_SERVICE_FQDN>/server.cer

• Private key for i2 Explore host machine: This is the private key that is used to secure the connection to the i2 Explore service.

  • This private key will be placed into the following location and renamed to server.key:

    • <installation_location>explore-for-ibase/analyze-deployment-tooling/environment-secrets/provided-secrets/certificates/<I2ANALYZE_SERVICE_FQDN>/server.key

The certificate generated for the host machine must be created using the host name of the machine that matches exactly that supplied in the I2ANALYZE_SERVICE_FQDN property, such that the certificate contains:

Owner: CN=<I2ANALYZE_SERVICE_FQDN>
SubjectAlternativeName [
  DNSName: <I2ANALYZE_SERVICE_FQDN>
]

Installing the generated certificate

If you have not supplied your own certificates, the deloyment tooling will generate certificates for you. To access the i2 Explore application, the machine that you are connecting from must trust the certificate that it receives from the Liberty server.

To enable trust, install the <installation_location>explore-for-ibase/analyze-deployment-tooling/environment-secrets/generated-secrets/certificates/externalCA/CA.cer certificate as a trusted root certificate authority in your browser and operating system's certificate store.

For information about installing the certificate, see:

• Windows: Install Certificates with the Microsoft Management Console

• MacOS:

  • Add certificates to a keychain using Keychain Access on Mac

  • Change the trust settings to Always Trust

• FireFox:

  • In the settings menu, type View Certificates and open it. Then, click Import and locate the CA.cer file.

If you are using a Mac and want to access the deployment from a Windows VM, you must install the certificate in your Windows VM.