Cisco Cisco Workload Automation 6.3 Installation Guide
172
Configuring SSL Messaging
Configuring SSL on the Primary Master
keytool -keystore my_keystore -alias my_alias -genkey -keyalg RSA
You can use the keys and certificates you generate to get your implementation and testing going quickly. However, to
set up a production grade server, it's recommended you request a well known certificate authority (CA) to sign the keys
and certificates.
set up a production grade server, it's recommended you request a well known certificate authority (CA) to sign the keys
and certificates.
Obtaining a Key and Certificate from a Trusted CA
There are many trusted CA's, such as AddTrust, Entrust, GeoTrust, RSA Data Security, Thawte, VISA, ValiCert, Verisign,
beTRUSTed. Each CA has its own instructions which should be followed (look for JSSE section), but all will involve a step
to generate a certificate signing request (CSR).
beTRUSTed. Each CA has its own instructions which should be followed (look for JSSE section), but all will involve a step
to generate a certificate signing request (CSR).
Java Keytool Example: generating CSR
keytool -certreq -alias my_alias -keystore my_keystore -file my_csr.csr
Exporting and Importing a Certificate
When SSL messaging is enabled, each of CWA servers will only send messages to and accept messages from the
servers it trusts. To authorize messaging between two servers, you must make sure the certificate of one server is
registered in the other's trust store, and vice versa. Java Keytool provides certificate import and export options to help
you accomplish this goal.
servers it trusts. To authorize messaging between two servers, you must make sure the certificate of one server is
registered in the other's trust store, and vice versa. Java Keytool provides certificate import and export options to help
you accomplish this goal.
Java Keytool Example: exporting certificate from a key store to a file
keytool -export -alias my_alias -file my_cer.cer -keystore my_keystore -storepass my_keystore_password
Java Keytool Example: importing certificate from a file to a trust store
keytool -import -v -trustcacerts -alias my_alias -file my_cer.cer -keystore my_truststore -storepass
my_truststore_password
my_truststore_password
Each of the following sections describes configuration for each CWA server. It will indicate what other CWA server's
certificates must be imported into CWA server's trust store.
certificates must be imported into CWA server's trust store.
Configuring SSL on the Primary Master
In this section, you will enable SSL on the Primary Master with the key stores you obtained from earlier section.
To enable SSL on the Primary Master:
1.
Shut down the Primary Master.
2.
Copy the key store for the Primary Master to the config directory in the Master's installation directory.
3.
Create a trust store by importing Client Manager's certificate. Follow the instructions in
If you are setting up Remote Master, import the certificate of the Remote Master into this trust store too.
If you are setting up a fault tolerant system, import the certificate of the Fault Monitor into this trust store too.
When done, copy the trust store to the config directory in the Master's installation directory.
4.
Use a text editor to open the property file master.props located in the Master's installation directory.
Note: It may be a good idea to back up this file before editing it to ensure there is a good copy to fall back to.
5.
In the editor, locate the segment of SSL properties that looks like the following.
#MessageBroker.SSL.enabled=Y
#MessageBroker.SSL.keyStore=
#MessageBroker.SSL.keyStorePassword=