Configuring › How to Create Keystore Files for Using SSL

How to Create Keystore Files for Using SSL

CA OM Web Viewer uses the CA CAICCI client interface (CCIClient.jar) for communication between the web server and the mainframe. Administrators can use Secure Socket Layer (SSL) to encrypt the CA CAICCI interface communication.

CA OM Web Viewer includes a sample keystore repository whose certificates match the CCISSL server certificates on the mainframe. You can use either the sample certificates or your own certificates to encrypt the CA CAICCI interface communication. To use your own certificates, create a Java keystore (JKS) certificate repository before you configure the CCIClient.

Certificate Formats

You use the Java keytool utility of the Java Runtime Environment (JRE) to create the Java keystore. The utility supports certificates in the following formats:

• The required Trusted Certificate (CA Root Certificate) must be a base64-encoded certificate file that contains the public key in X.509 format for the CCI server.
• The optional Client End User Certificate must be a certificate file in PKCS#12 format. This file must contain the public and private keys in X.509 format. The private key is password-protected.

  Note: If the CCI task specifies CLAUTH=Y or CLAUTH=PASS, a Client End User Certificate is required.

For more information about the keytool utility, see oracle.com.

If the format of your certificates is not supported, use a tool such as OpenSSL (see openssl.org) to convert them to a supported format.

Create the Java Keystore

To create the keystore, use the Java keytool utility to perform these steps:

Step 1: Locate and Copy the Certificate Files

1. Locate the certificate files for populating the HFS Key database for the CCISSL server on the mainframe. These files may reside in the CCI mainframe USS folder or some other location. At a minimum, locate the Trusted Certificate (public key). If you are using Client Authentication, locate that client end-user certificate and its private key with a password.
2. Copy the certificate files to the system where you want to create the keystore.

Important! If the certificate files are not in a format that the keytool supports, convert them to a supported format.

Step 2: Determine a Password

Determine a password for the Java keystore: the keytool requires a minimum length of 6 characters.

If you are using a client end-user certificate with a private key, use its password. The JKS password must match the private key password.

Step 3: Create the Java Keystore File and Import the Trusted Certificate

1. Delete the existing cci.jks file. This procedure creates a replacement file.
2. Open a command prompt or console.
3. Import the trusted certificate file using the following command:

   keytool -importcert -file path/pem-file -keystore path/cci.jks
   

4. When prompted, enter the keystore password.

   Note: For a client end user certificate, the CCIClient requires that the keystore and private key passwords match.

5. When prompted, confirm that you trust this certificate.

Step 4: Add the Client End User Certificate to the Keystore (Optional)

If you intend to use a client end user certificate for client authentication, add it to the Keystore.

1. Open a command prompt or console.
2. Import the client end user certificate file using the following command:

   keytool -v -importkeystore -srckeystore cci.p12 -srcstoretype PKCS12 -destkeystore cci.jks -deststoretype JKS
   

3. When prompted, enter the destination keystore password (the cci.jks keystore file password).
4. When prompted, enter the source keystore password (the PKCS#12 file password, also the client end user certificate private key password).

   Note: The CCIClient requires that the destination keystore and source keystore passwords match.