The product WebSphere Application Server Network Deployment Liberty Profile is installed in:

/var/apps/wasnd855_lp/ 

The following command was issued to create a JCM to be the collective controller from the <instance_root>/bin folder

./server create controller1 

As a result of creating a collective controller using the command:

./collective create controller1 --keystorePassword=secureme 

the following key stores, and trust stores are created:

Key Store and Trust store for the Actual Controller JVM is created in:

/var/apps/wasnd855_lp/usr/servers/controller1/resources/security 

 

 

As seen in the image above, we have the following files:

File Function Description
key.jks Key Store A key ring which stores the public and private keys of the JVM.

In the default key,jks file, the server certificate for the controller and the controllerRoot certificate exist.

The key store is assumed to be a JKS keystore that is called key.jks in the server home/resources/security directory. If the file does not exist the server creates it for you. If the server creates the keystore file, it also creates the certificate inside of it. The certificate is a self-signed certificate with a validity period of 365 days, the CN value of the certificate’s subjectDN is the host name of the machine where the server is running, and has a signature algorithm of SHA256withRSA.

Note: The certificates that are created by the Liberty server are not intended for production use. They are created as a developer convenience. Certificates that are used in production should be a properly chained certificate that is issued or signed by a trusted certificate authority. If you want to use self-signed certificates with a longer duration or customized subjectDN, one can be created by using the securityUtility createSSLCertificate task.

trust.jks Trust Store A Key ring which stores public certificates of other key rings.

The trust store holds SSL certificates that are required for signing verification.

 

In the default trust.jks file, the member certificate,

ltpa.keys Key File The LTPA is configured by default when security is enabled for a Liberty server for the first time. The default location of the automatically generated LTPA keys file is ${server.output.dir}/resources/security/ltpa.keys. The LTPA keys are encrypted with a randomly generated key and a default password of WebAS is initially used to protect the keys. The password is required when importing the LTPA keys into another server. To protect the security of the LTPA keys, you must change the password. When the LTPA keys are exchanged between servers, this password must match across the servers for Single Sign On (SSO) to work.

Collective Key store and Trust stores are created at:

/var/apps/wasnd855_lp/usr/servers/controller1/resources/collective 

 

Each member within the collective defines its server domain configuration, which consists of the serverIdentity.jks and collectiveTrust.jks files. These files contain the SSL certificates that are necessary to establish secure communications within the collective

As seen in the image above, the following files are created for a collective controller

File Function Description
serverIdentity.jks Key Store In the default serverIdentity.jks keystore, the controller certificate and the controllerRoot certificate exist
rootKeys.jks Key Store for Certificate Authority The controllerRoot signer from the rootKeys.jks keystore must be added to all collective members HTTPS SSL truststore.

The controllerRoot signer and the memberRoot signer from the rootKeys.jks keystore must be added to all collective controllers’ HTTPS SSL truststore.

collectiveTrust.jks Trust Store The default collectiveTrust.jks keystore contains the controllerRoot certificate and the memberRoot certificates.

The server domain SSL configuration can be customized by adding additional trusted certificate entries to the collectiveTrust.jks keystore. All trust is copied when a controller is replicated; therefore, SSL customization should be applied to the initial controller

collective.uuid This file contains the unique identifier of the Collective.

 

A summary note on Collective Controllers and Members:

The Liberty collective controller keystores contain the following certificates:

  • In the default serverIdentity.jks keystore: The controller certificate and the controllerRoot certificate
  • In the default collectiveTrust.jks keystore: The controllerRoot
    certificate and the memberRoot certificate
  • In the default key.jks keystore: the server certificate for the controller and the controllerRoot certificate
  • In the default trust.jks keystore: the memberRoot certificate and the controllerRoot certificate

Summary: Collective Controller keystores and what they contain

File Certificates contained
serverIdentity.jks
  • controller certificate
  • controllerRoot certificate
collectiveTrust.jks
  • controllerRoot certificate
  • memberRoot certificate
key.jks
  • server certificate for Controller
  • controllerRoot certificate
trust.jks
  • memberRoot certificate
  • controllerRoot certificate

 

The Liberty collective member keystones contain the following certificates:

  • In the default serverIdentity.jks keystore: The member certificate and the memberRoot
    certificate
  • In the default collectiveTrust.jks keystore: The controllerRoot
    certificate
  • In the default key.jks keystore: The server
    certificate for the member and the memberRoot
    certificate
  • In the default trust.jks keystore: The controllerRoot
    certificate

Summary: Collective Member keystores and what they contain

File Certificates contained
serverIdentity.jks
  • controller certificate
  • controllerRoot certificate
collectiveTrust.jks
  • controllerRoot certificate
  • memberRoot certificate
key.jks
  • server certificate for Member
  • controllerRoot certificate
trust.jks
  • memberRoot certificate
  • controllerRoot certificate
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply