TLS Connections
TLS Certs and Keystores
The following is a complicated dance between our two hosts, Refactor and ADDI. We need to generate our TLS certs.
Create some keystores for stuff. For real, DEX needs this and we're ultimately going to import our root cert from the refactor assistant into this keystore.
As of windows server 2022 and newer, (win11x), the default output from any cmdlet in PowerShell automatically encodes the output as UTF-16E. This causes a problem for the configuration service when it tries to import the certificate chain we will be generating.
To set the output encoding correctly, add the following to the PowerShell profile if you can.
$PSDefaultParameterValues['Out-File:Encoding'] = 'utf8'
Otherwise run that powershell command each time you open a PowerShell instance.
Each server must have a keystore that contains the following entries:
- A
PrivateKeyEntry
of the CA signed certificate. - A
TrustedCertEntry
of the root CA certificate.
It's apparently optional to generate a self-signed key cert. We're going to generate one as while it's best practices to have a key cert signed by a real CA, we don't have a real CA.
This will be our local keystore.
Make sure that D:\certificates
exists as this is where we will store these keys.
It's best to use the FQDN of your ADDI host if you have one. Ours in this example is wca4z2-winaddi.fyre.ibm.com
. However you can also just use the host ip address.
We are adding -validity 3653
to the documented command to extend the certificate expiration to 10 years from the default of 90 days.
keytool -genkeypair -alias "wca4z2-winaddi.fyre.ibm.com" -keyalg RSA -keysize 2048 -dname "cn=wca4z2-winaddi.fyre.ibm.com" -keypass "p@ssw0rd" -keystore "D:\certificates\server_keystore.p12" -storepass "p@ssw0rd" -validity 3653 -storetype PKCS12 -ext BasicConstraints:critical=ca:true -ext san=dns:wca4z2-winaddi.fyre.ibm.com
Now we have a keystore sitting at C:\Users\Administrator.WCA4Z-ADDI\server_keystore.p12
Let's now export the cert
keytool -exportcert -alias "wca4z2-winaddi.fyre.ibm.com" -keystore "D:\certificates\server_keystore.p12" -file "D:\certificates\server_certificate.crt" -storepass "p@ssw0rd"
Now let's re-import the certificate into the keystore under the alias of self-signed-root
keytool -keystore "D:\certificates\server_keystore.p12" -import -file "D:\certificates\server_certificate.crt" -alias "self-signed-root" -storepass "p@ssw0rd"
If you have the DB2 SSL certificate for the cloud instance of DB2, import it into the keystore as well.
keytool -import -trustcacerts -alias "DB2-ssl-cert" -file "D:\certificates\DigiCertGlobalRootCA.crt" -keystore "D:\certificates\server_keystore.p12" -storepass "p@ssw0rd"
In that vein, if you followed the TLS setup here, you should have a root.crt
in /root/certs
.
Create a new file called root.crt
in the D:\certificates
directory on the ADDI host and paste the contents in from /root/certs/root.crt
.
Now import the certificate by running the following command in powershell:
keytool -importcert -alias ad-core-server -keystore "D:\certificates\server_keystore.p12" -storetype PKCS12 -storepass "p@ssw0rd" -file "D:\certificates\root.crt" -storepass p@ssw0rd -ext BasicConstraints:critical=ca:true -ext san=dns:wca4z2-winaddi.fyre.ibm.com
Now let's use OpenSSL to generate the server.key
Open up Cygwin Terminal App
Use the OpenSSL tool from Cygwin to export the certificates in a dedicated location.
To generate the server.key file, run the following command in the Cygwin Terminal App.
openssl pkcs12 -in "D:\certificates\server_keystore.p12" -nocerts -nodes -out "D:\certificates\server.key"
Configuring Certs
Log back into the ADDI host.
If you've followed the above steps, you should have the following files in D:\certificates
on the ADDI host.
Generate the server_certificate.crt
file again, but different in your Powershell window.
$PSDefaultParameterValues['Out-File:Encoding'] = 'utf8'
keytool -list -keystore "D:\certificates\server_keystore.p12" -rfc > "D:\certificates\server_certificate.crt"
Open that server_certificate.crt
in notepad and reset the order of certs. We want the root cert to be at the top.
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: wca4z2-winaddi.fyre.ibm.com
Creation date: Mar 1, 2024
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
<CERT HERE>
-----END CERTIFICATE-----
*******************************************
*******************************************
Alias name: ad-core-server
Creation date: Mar 1, 2024
Entry type: trustedCertEntry
-----BEGIN CERTIFICATE-----
<CERT HERE>
-----END CERTIFICATE-----
*******************************************
*******************************************
Alias name: db2-ssl-cert
Creation date: Mar 1, 2024
Entry type: trustedCertEntry
-----BEGIN CERTIFICATE-----
<CERT HERE>
-----END CERTIFICATE-----
*******************************************
*******************************************
Alias name: self-signed-root
Creation date: Mar 1, 2024
Entry type: trustedCertEntry
-----BEGIN CERTIFICATE-----
<CERT HERE>
-----END CERTIFICATE-----
*******************************************
*******************************************
The root CA certificate or the self-signed certificate must be installed into the local machine's trusted root certificate authorities. These certs should be the server_certificate.crt
and root.crt
. Also the DB2 SSL cert if you received one. These certs should all be in the C:\certificates
directory since that's where we've been putting them.
- On Windows:
- Right-click the certificate and then click Install Certificate.
- Select Local Machine and click Next.
- Select Place all certificates in the following store.
- Click Browse... and select Trusted Root Certificate Authorities.
- Click OK and then Next.
- Click Finish to complete the certificate import wizard.
Import the certificate to Java runtime keystore
To import the certificate to Java runtime keystore, complete the following steps:
- Open a Command Prompt (on Windows) or a Terminal (on Linux) and go to the folder containing the newly prepared
server_keystore.p12
. This would beC:\certificates
. - Execute the following command to import all certificates from server_keystore.p12 to the Java's cacerts keystore.
Run this in a regular dos shell. Powershell will not have the JAVA_HOME env set correctly.
keytool -importkeystore -srckeystore "D:\certificates\server_keystore.p12" -srcstorepass "p@ssw0rd" -destkeystore "%JAVA_HOME%\lib\security\cacerts" -deststorepass "changeit"
The default cacerts password is changeit
.
WIll probably have to repeat when we have a cert for the db2 instance
From the ADDI Dashboard, restart the Configuration service.
https://localhost:9443/ad/admin/dashboard
In powershell on the ADDI host, export the zookeeper.crt from the keystore.
keytool -exportcert -alias "wca4z2-winaddi.fyre.ibm.com" -keystore "D:\certificates\server_keystore.p12" -rfc -file "D:\certificates\zookeeper.crt" -storepass "p@ssw0rd" -ext BasicConstraints:critical=ca:true -ext san=dns:wca4z2-winaddi.fyre.ibm.com
On the RA host, create the zookeeper.crt
file in /etc/pki/ca-trust/source/anchors
and copy the contents of zookeeper.crt
into it.
Then run the following command on the Refactor host
update-ca-trust extract
Create the following symlinks
ln -s /etc/pki/ca-trust/source/anchors/zookeeper.crt /root/certs/ad.crt
ln -s /etc/pki/ca-trust/source/anchors/zookeeper.crt /root/certs/dex.crt
ln -s /etc/pki/ca-trust/source/anchors/zookeeper.crt /root/certs/zookeeper.crt
DEX Server configuration
Let's generate a hashed SHA256 password on the linux refactor host
htpasswd -nbBC 10 addi_user p@ssw0rd
addi_user:$2y$10$vAk2SLjHIU2x2dNuzwDxDuq6TwdnLK1XeO8OCzxNqXK3yv3ObYfIy
On the ADDI host, open the dex.yaml
file:
C:\Program Files\IBM Application Discovery and Delivery Intelligence\Authentication Server (DEX)\conf\dex.yaml
The cert paths will be updated when the certs are imported into ADDI.
- Our
issuer
should be either the FQDN or the IP of the ADDI host - The
redirectURIs:
should point to the ip of the Refactor server. staticPasswords.hash
should be the generated bcrypt password from above
dex.yaml
issuer: https://wca4z2-winaddi.fyre.ibm.com:7600/dex
storage:
type: sqlite3
config:
file: dex.db
frontend:
theme: addi
web:
TLSCert: conf/server_certificate.crt
TLSKey: conf/server.key
https: 0.0.0.0:7600
connectors: []
enablePasswordDB: true
staticClients:
- id: refactoring-assistant
redirectURIs:
- https://9.66.242.37:9443
name: Refactoring Assistant
secret: pkce
staticPasswords:
- email: addi_user@ibm.com
hash: $2y$10$vAk2SLjHIU2x2dNuzwDxDuq6TwdnLK1XeO8OCzxNqXK3yv3ObYfIy
username: addi_user
userID: null
Open the admin dashboard and click Configure at the top https://localhost:9443/ad/admin/dashboard
Click on the Default env
Go to Servers and Security
Select Security from the choices on the left and then select HTTPS as the protocol type
At the bottom go to "Drag and Drop files here..." and upload the following files from D:\certificates
server_keystore.p12
server_certificate.crt
server.key
Set the password to p@ssw0rd
.
Successful import should look like this
Restart the IBM Application Discovery Configuration Service from the Dashboard.