When you upgrade the server from version 6.0.1.1 or earlier
to a version later than version 6.0.1.1, you can upgrade the SSL encryption.
About this task
This upgrade is optional, but it strengthens the security
for your server.
Procedure
- Upgrade the HTTPS certificate for the server:
- On the server, open a command-line window to the server_install/opt/tomcat/conf folder,
where server_install is the
server installation folder. The default server installation
directory is /opt/ibm-ucd/server on Linux and C:\Program Files\ibm-ucd\server on Windows.
- Delete the existing certificate with the following command:
keytool -delete
-alias tomcat
-keystore tomcat.keystore
-storepass changeit
Note: Each command in
this example and the following examples must be written on one line.
- Create a certificate with the following command:
keytool -genkey
-alias tomcat
-storepass changeit
-keypass changeit
-keyalg RSA
-sigalg SHA256withRSA
-keysize 2048
-validity 7305
-dname CN=host_name
-keystore tomcat.keystore
For host_name,
use the host name of the server.
- Go to the folder server_install/conf.
- Delete the existing entry to the keystore with the following
command:
keytool -delete
-alias server
-keystore server.keystore
-storepass changeit
- Create an entry to the keystore with the following command:
keytool -genkey
-alias server
-storepass changeit
-keypass changeit
-keyalg RSA
-sigalg SHA256withRSA
-keysize 2048
-validity 7305
-dname CN=host_name
-keystore tomcat.keystore
For host_name,
use the host name of the server.
- For each of your agent relays, upgrade the encryption with
the following steps:
- In a command-line window, go to the relay_install/conf/jms-relay folder,
where relay_install is the
relay installation folder.
- Delete the existing entry in the keystore for the agent
relay with the following command:
keytool -delete
-alias agentrelay
-keystore agentrelay.keystore
-storepass changeit
- Add an entry with the new encryption level with the
following command:
keytool -genkey
-alias agentrelay
-keystore agentrelay.keystore
-storepass changeit
-keypass changeit
-keyalg RSA
-sigalg SHA256withRSA
-keysize 2048
-validity 7305
-dname CN=host_name
For host_name,
use the host name of the server.
- If you are using mutual encryption between servers and
agents, upgrade the encryption on each agent:
- In a command-line window, go to the agent_install/conf/jms-relay folder,
where agent_install is the
agent installation folder.
- Delete the existing entry in the keystore for the agent
with the following command:
keytool -delete
-alias alias
-keystore keystore_file
-storepass changeit
Replace alias with
the alias of the server certificate in the agent keystore and keystore_file is
the keystore file. The default name of the keystore file is ibm-ucd.keystore.
To find the alias, run the following command and look for the alias
name in the output:keytool -list -v -keystore keystore_file
- Follow the steps in Configuring mutual authentication to add the new server certificate to the agent.