Create SSL keystore file (DCAS only)
In order to communicate with a DCAS server, an SSL
connection must be established using client authentication. This requires
you to specify a keystore file. The supported keystore file
types are PKCS12, JKS, or JCEKS (PKCS12 is not supported on Solaris).
To create a keystore file to specify in the CMPI_DCAS_TRUSTSTORE
parameter,
use the java keytool).
This keystore file must contain the ZIETrans DCAS
client's certificate and the DCAS server's certificate (public key)
information.
Note:
- If you set the CMPI_DCAS_USE_DEFAULT_TRUSTSTORE parameter to true, the JSSE default keystore file is used instead of the keystore file specified by the CMPI_DCAS_TRUSTSTORE parameter, and must contain the ZIETrans DCAS client's certificate and the DCAS server's certificate (public key) information.
- The ZIETrans DCAS client's certificate must also be added/imported to the DCAS server's keystore file for SSL client authentication.
If you already have an older certificate
you can import it. Personal server certificates
that were created with an old system cannot be exported from
the old and imported into the new. There is however a way in which you can do this:
- Import the existing .kdb file into a new keystore file (PKCS12, JKS, or JCEKS).
- Export the certificate (such as, the DCAS personal server certificate) to a .p12 format certificate.
- Import the certificate (.p12 format) into a new keystore file (PKCS12, JKS, or JCEKS).
Figure 1. ZIETrans Certificate Management
To create a new keystore file named ZIETransWelkeys.p12 that
will be specified in the CMPI_DCAS_TRUSTSTORE parameter,
take the following steps:
Note: If the target platform
for your ZIETrans application is Solaris, instead of using Key database
type of PKCS12 below, use either JCEKS or JKS instead.