Setting up security certification and user access

To set up security for a production environment, you must create a keystore. The certificate must be valid for your production environment.

About this task

Every server in your topology needs a keystore that contains a suitable server certificate, or a separate truststore that trusts all other servers. In a test environment, you can create an SSL keystore that contains a self-signed certificate by using the security utility tool, and then copy the keystore file (a .jks file) to the security folder of each server in your topology. In a secure production environment, use the Java™ keystore tools to export the public certificate from the server, and import that certificate into the truststore of the client.

For more information, see Enabling SSL communication for the Liberty profile.

Procedure

Open a command window on a computer where you created a server, and change directory to <InstallDir>/runtime/wlp/bin.
Run the security utility createSSLCertificate command, specifying the name of the server and a password.
For example, to create a certificate for a cisCatalog server on Windows:
```
securityUtility createSSLCertificate --server=cisCatalog --password=myserverpassword --validity=1000 --subject=CN=*.example.com,O=myOrg,C=myCountry
```
For example, to create a certificate for a cisCatalog server on Linux:
```
./securityUtility createSSLCertificate --server=cisCatalog --password=myserverpassword --validity=1000 --subject=CN=*.example.com,O=myOrg,C=myCountry
```
A key.jks file is created for the server. The keystore file is in the <InstallDir>/runtime/wlp/usr/servers/cisCatalog/resources/security directory.

Confirm that the SSL feature is enabled in all of the server.xml files and add your password to the keystore definition.

<featureManager> 
   <feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="{xor}NjEsbjg3Kyw="/>

Copy the key.jks file to the /resources/security folder to all the servers in your production topology.