41.2 Creating a Keystore and Certificate Signing Request

A keystore is a Java file that contains encryption keys and optionally, security certificates. To create a keystore, you can use the Java Keytool utility included in the JRE. You create the .jks file, generate a certificate into the keystore. Each certificate is associated with a unique alias. You place the keystore in the conf directory for your application server that supports the identity applications and Identity Reporting.

By default, the installer creates a keystore, namely tomcat.ks, in /opt/netiq/idm/apps/tomcat/conf and uses this keystore to configure the https connection. If you create a keystore file with the same name, replace this keystore file in this directory.

  1. In a command prompt, navigate to the conf directory for your application server installation where you have deployed the identity applications. For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.

    The tomcat/conf path is the default for the identity applications installed on Tomcat. The path can vary, depending on how you installed the application and Tomcat.

  2. Set the environment path for creating the keystore using the following command:

    cd /opt/netiq/idm/apps/tomcat/conf
    export PATH=/opt/netiq/common/jre/bin:$PATH


    cd C:\NetIQ\idm\apps\tomcat\conf
    set PATH=C:\NetIQ\idm\apps\jre\bin:%PATH%
  3. Create the keystore using the following command:

    keytool -genkey -alias alias_name -keyalg RSA -keystore keystore_name -validity 3650 -keysize 2048

    For example:

    keytool -genkey -alias IDMkey -keyalg RSA -keystore tomcat.ks -validity 3650 -keysize 2048
  4. At the prompt, specify the parameter values according to the following considerations:

    • For first and last name, specify the fully qualified name of the server. For example:

    • Use correct spelling. If you spell any words incorrectly, you will see errors when you generate your signed certificate from the signing authority.

  5. (Optional) Create a simple text file to save a copy of the information that you provide for the parameter values.

    Saving this information helps ensure that you supply the same information when you apply to the signing authority and when you import your certificate.

  6. Copy the keystore file to the /tomcat/conf directory for each application server instance where you have deployed Identity Manager components and SSPR.

    NOTE:In Linux system, you should change the owner of the file to novlua:

    chown novlua:novlua [keystore_name.keystore]
  7. To generate the CA certificate request, complete the following steps:

    1. In the conf directory, create a simple text file named your_request.csr. For example, IDMcertrequest.csr.

    2. Run the following command:

      keytool -certreq -v -alias alias_name -file your_request.csr -keypass keystore_password -keystore keystore_name -storepass your_password

      For example,

      keytool -certreq -v -alias IDMkey -file IDMcertrequest.csr -keypass IDMkeypass -keystore tomcat.ks -storepass IDMpass

      When you run the command, the Keytool utility populates the .csr file with the appropriate data for requesting a certificate.

  8. (Conditional) To obtain a signed certificate, submit the .csr file to a valid Certificate Authority.

  9. Copy the certificate in the configuration directory of your application server.

    For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.

  10. Stop Tomcat.

After creating a keystore and generating CA certificate request, perform the following procedures to import the certificates into the keystore:

NOTE:When a system certificate expires, you must manually renew the expired certificates. For more information, see NetIQ Identity Manager Certificate Management Guide.