Set up mutual authentication for server and component integrator

Prerequisites: Set properties for mutual authentication

This topic explains how to add an alias to a component integrator, and exchange certificates between the Deployment Automation server and component integrator.

Add an alias to a component integrator

Before you generate a certificate for a component integrator, you must add an alias to the component integrator.

Note: Administrative privileges required.

To add an alias to a component integrator:

  1. Make sure the JAVA_HOME environment variable on the component integrator machine points to the directory where Java 11 is installed.

  2. Open a command prompt and navigate to the component integrator conf directory.

  3. From the <component_integrator_installation>\conf directory, run the following command:

    Copy code 
    keytool -genkeypair -dname "cn=<component_integrator_alias>" -alias <component_integrator_alias> 
      -keypass changeit -keystore component-integrator.keystore -storepass changeit -keyalg RSA
      -keysize 1024 -validity 7305

    where <component_integrator_alias> is the name of your component integrator alias. We recommend using the component integrator's name.

  4. To check the result, run this command:

    Copy code 
    keytool -list -keystore component-integrator.keystore

When you have added an alias, finish configuring mutual authentication by exchanging certificates between the server and component integrator.

Back to top

Exchange certificates with the server

After adding an alias to a component integrator, exchange certificates between the server and component integrator so that they can trust each other.

To exchange certificates:

  1. Stop the Deployment Automation server and component integrator.

  2. Open a command prompt and navigate to the conf directory in your server's profile:

    <da_profile_directory>\conf

  3. Run this command to export the server key as a certificate:

    Copy code 
    keytool -export -keystore server.keystore -storepass changeit -alias server -file server.crt

    Note: The alias server for generating certificate keys is assigned during server installation.

  4. Copy the exported certificate file server.crt to the component integrator's conf directory:

    <component_integrator_installation>\conf

  5. From the component integrator's conf directory, run this command to import server.crt:

    Copy code 
    keytool -import -keystore component-integrator.keystore -storepass changeit -alias server
     -file server.crt -keypass changeit -noprompt

    A message Certificate was added to keystore is displayed.

  6. From the component integrator's conf directory, run this command to export the component integrator key as a certificate:

    Copy code 
    keytool -export -keystore component-integrator.keystore -storepass changeit
     -alias <component_integrator_alias> -file <component_integrator_name>.crt

    The certificate is stored in the <component_integrator_name>.crt file.

    Note: After generating a new key pair, make sure to remove the default key from keystore.

  7. Copy the exported certificate file <component_integrator_name>.crt to your server's conf directory:

    <da_profile_directory>\conf

  8. From the server's conf directory, run this command to import the <component_integrator_name>.crt file:

    Copy code 
    keytool -import -keystore server.keystore -storepass changeit -alias <component_integrator_alias>
     -file <component_integrator_name>.crt -keypass changeit -noprompt

    A message Certificate was added to keystore is displayed.

  9. Start the server and component integrator.

Back to top

See also: