A keystore is a Java file that contains encryption keys and optionally, security certificates. To create a keystore, you can use the Java Keytool utility included in the JRE. You create the .jks file, generate a certificate into the keystore. Each certificate is associated with a unique alias. You place the keystore in the conf directory for your application server that supports the identity applications and Identity Reporting.
In a command prompt, navigate to the conf directory for your application server installation where you have deployed the identity applications. For example, opt/netiq/idm/apps/tomcat/conf.
The tomcat/conf path is the default for the identity applications installed on Tomcat. The path can vary, depending on how you installed the application and Tomcat.
Set the environment path for creating the keystore using the following command:
cd /opt/netiq/idm/apps/tomcat/conf export PATH=/opt/netiq/idm/jre/bin:$PATH
Create the keystore using the following command:
keytool -genkey -alias keystore_name -keyalg RSA -keystore keystore_name.keystore -validity 3650 -keysize 2048
For example:
keytool -genkey -alias IDMkey -keyalg RSA -keystore IDMkey.keystore -validity 3650 -keysize 2048
At the prompt, specify the parameter values according to the following considerations:
For first and last name, specify the fully qualified name of the server. For example:
MyTomcatServer.NetIQ.com
Use correct spelling. If you spell any words incorrectly, you will see errors when you generate your signed certificate from the signing authority.
(Optional) Create a simple text file to save a copy of the information that you provide for the parameter values.
Saving this information helps ensure that you supply the same information when you apply to the signing authority and when you import your certificate.
Copy the keystore file to the tomcat/conf directory for each application server instance where you have deployed Identity Manager components and SSPR.
To generate the CA certificate request, complete the following steps:
In the conf directory, create a simple text file named your_request.csr. For example, IDMcertrequest.csr.
Run the following command:
keytool -certreq -v -alias keystore_name -file your_request.csr -keypass keystore_password -keystore your.keystore -storepass your_password
For example,
keytool -certreq -v -alias IDMkey.keystore -file IDMcertrequest.csr -keypass IDMkeypass -keystore IDMkey.keystore -storepass IDMpass
When you run the command, the Keytool utility populates the .csr file with the appropriate data for requesting a certificate.
(Conditional) To obtain a signed certificate, submit the .csr file to a valid Certificate Authority.
Copy the certificate in the configuration directory of your application server.
For example, opt/netiq/idm/apps/tomcat/conf.
Stop Tomcat.
After creating a keystore and generating CA certificate request. Follow the below procedures to Import certificates into the keystore:
For external CA signed certificate, see Enabling SSL with a External CA Signed Certificate.
For self-signed certificate, see Enabling SSL with a Self-signed Certificate.