Configuring TLS connection to iBase

Details about the certificates you need to provide for securing the i2 Explore service, and installing the generated certificate.

Providing certificates

To configure the TLS connection between the i2 Explore service and the web browser, you need to provide the CA trust certificate for certificates that are received from the Liberty application server.

You must also obtain a signed certificate for the server where you are deploying i2 Explore for iBase.

The i2 Explore for iBase services may be deployed without providing certificates, in which case certificates are generated for you during deployment. You can replace the generated certificates with your own by providing them in the locations outlined below, or via the Secrets tab in the i2 Explore Administration Console and then running deploy. See Deploying the Application.

Important: The generated certificates must not be used in production.

CA trust certificate for certificates that are received from the i2 Explore server: This is the certificate that is used to verify the identity of the i2 Explore server.
- This certificate must be placed into the following location and renamed to CA.cer:
  - <installation_location>/analyze-deployment-tooling/environment-secrets/provided-secrets/certificate/externalCA/CA.cer
Signed certificate for i2 Explore host machine: This is the certificate that is used to secure the connection to the i2 Explore service.
- This certificate must be placed into the following location and renamed to server.cer:
  - <installation_location>/analyze-deployment-tooling/environment-secrets/provided-secrets/certificates/localhost/server.cer
Private key for i2 Explore host machine: This is the private key that is used to secure the connection to the i2 Explore service.
- This private key must be placed into the following location and renamed to server.key:
  - <installation_location>/analyze-deployment-tooling/environment-secrets/provided-secrets/certificates/localhost/server.key

The certificate generated for the host machine must be created using the host name of the machine that matches exactly that supplied in the I2ANALYZE_SERVICE_FQDN property, such that the certificate contains:

Owner: CN=<I2ANALYZE_SERVICE_FQDN>
SubjectAlternativeName [
  DNSName: <I2ANALYZE_SERVICE_FQDN>
]

Installing the generated certificate

If you have not supplied your own certificates, the deployment tooling generates certificates for you. To access the i2 Explore application, the machine that you are connecting from must trust the certificate that it receives from the Liberty server.

To enable trust, install the <installation_location>/analyze-deployment-tooling/environment-secrets/generated-secrets/certificates/externalCA/CA.cer certificate as a trusted root certificate authority in your browser and operating system's certificate store.

For information about installing the certificate, see:

Windows: Install Certificates with the Microsoft Management Console
macOS:
- Add certificates to a keychain using Keychain Access on Mac
- Change the trust settings to Always Trust
Firefox:
- In the settings menu, type View Certificates and open it. Then, click Import and locate the CA.cer file.

Note: If you are using a Mac and want to access the deployment from a Windows VM, you must install the certificate in your Windows VM.