XIC: steps to use CA signed certificate between XTR and XIC
In the XTR installation: the CSR file needs to be created and then the CA Signed Certificate needs to be uploaded to the XTR installation
- Validate all entries on the SSLTRCFG file.
Note:
CA_Cert should be SSLCACRT created by XTR installation.
CA_Key should be a private key file of CA_Cert, e.g. SSLCAKEY
- Determine a password for the private key and store it as an SSLTRPAS file
- Run the following command at TACL
TACL> #SET #INFORMAT TACL
TACL> [ run <$system>.XYGATETR.xycert
-cfg:sslTRcfg
-new
-out:sslTRcsr
-keyout:sslTRkey
-passout:<determined-password>
-outform:pem
]
TACL>
- Change RWEP on sslTRkey and sslTRpas to UUUU
- Change RWEP on sslTRcsr NUUU
- Download the sslTRcsr file and send it out to CA to get registered
- Upload the certificate from CA to XTR installation as sslTRcrt
- Change RWEP on sslTRcrt NUUU
in the XIC installation: delete the old xic_xtr alias and add a new alias with an updated SSLTRCRT
- Identify the location of the updated XTR certificate, e.g. SSLTRCRT.
e.g. ls -l /G/VOL/XYGATETR/SSLTRCRT
- Move to the XIC ssh directory
e.g. cd /local/XYPRO/webservices/.ssh
- Make a backup copy of the XIC ssh directory and all the included files.
- Enter chmod with WRITE on XIC_XTR.jks
e.g. chmod 777 XIC_XTR.jks
- Enter keytool with -list option to ensure there's an alias xic_xtr
e.g. keytool -list -keystore XIC_XTR.jks
- Enter keytool with -delete option to remove the alias xic_xtr
e.g. keytool -delete -alias XIC_XTR -keystore XIC_XTR.jks
- Enter keytool with -importcert option to import the SSLTRCRT with alias name xic_xtr
e.g. keytool -importcert -trustcacerts -alias XIC_XTR -file /G/VOL/XYGATETR/SSLTRCRT -keystore XIC_XTR.jks
- Enter chmod with READ only on XIC_XTR.jks
e.g. chmod 400 XIC_XTR.jks
- Restart XIC
For more information, please refer to the XIC manual 1.30 - Appendix E