Generating a KeyStore and TrustStore

Use the information in this topic to create a KeyStore, create a custom self-signed certificate, and import the certificate.

Note

The security protocol used for encryption and decryption of communication between the Collection Station and the Collection Agent is Transport Layer Security (TLS).

Related topics

Security-planning

Configuring-a-secured-connection

Creating a KeyStore in JKS format

To create a KeySTore in the JKS format, you need to run the following keytool command.

Command syntax

keytool -keystore <jksFileName> -genkey -alias <aliasName> -validity <numberOfDays> -keyalg <encryptionType>

Example

keytool -keystore bmcitda.jks -genkey -alias bmcitda -validity 365  -keyalg RSA

In the preceding command, the following definitions apply:

  • <jksFileName> refers to the name of the KeyStore file (.jks format).
  • <aliasName>refers to the alias that you want to use while generating the KeyStore. 
  • <numberOfDays>refers to the number of days for which the KeyStore must remain valid.
  • <encryptionType>refers to encryption type that you want to use while generating the KeyStore.
Recommendation

BMC recommends that you create a separate directory in the following location and copy the KeyStore to that directory.

  • Windows: %BMC_ITDA_HOME%
  • Linux: $BMC_ITDA_HOME

After you create the KeyStore, you need to perform the following additional steps:

  • (Optional) Create a custom self-signed certificate. You can also use the default self-signed certificate bundled with the IT Data Analytics product.
    For more information, see Creating a custom self-signed certificate.
  • Import the certificate into the appropriate Java Runtime Environment (JRE) location.

Creating a custom self-signed certificate

To create a custom self-signed certificate, you need to run the following keytool command.

Command syntax

keytool -export -alias <aliasName> -file <name> -keystore <keystoreFileName>

Example

keytool -export -alias bmcitda -file bmcitda.cer -keystore bmcitda

In the preceding command, the following definitions apply:

  • <aliasName>refers to the alias used while generating the KeyStore.
  • <name> refers to the name with which the certificate file must be created.
  • <keystoreFileName> refers to the KeyStore file name (generated in the JKS format).

Importing a certificate

To import a self-signed certificate (default or custom) into a JRE location, you need to run the following command. The JRE location might differ based on the channel for which you are trying to configure security. For more information, see Configuring-a-secured-connection.

Command syntax

keytool -importcert -keystore <jreLocation> -file <certificateFileName> -alias <aliasName> -storepass <password>

Example

keytool -importcert -keystore ../../jre/lib/security/cacerts -file ../../tomcat/conf/bmcitda.cer -alias bmcitda -storepass changeit

In the preceding command, the following definitions apply:

  • <jreLocation> refers to location where you need to import the certificate. 
    The JRE location might differ based on the channel for which you are trying to configure security. For more information, see Configuring-a-secured-connection.
  • <certificateFileName> refers to name of the certificate file that you want to import. Optionally, you can also include the location path with the file name.
  • <aliasName> refers to the alias used while generating the KeyStore.
  • <password> refers to the KeyStore password (default: changeit).

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*