I had enabled SSL client authentication for the inbound WC ports on my AppTarget JVM's (it's a long story so I wont go into why I did this).... this meant that anything sending a request to AppTargets WC ports would be asked for a client certificate.
RAL (Remote Artifact Loader) does just this... it's used by BPC explorer (which in my case was running on the Support Cluster) to gather info about a running BPC process running on the AppTarget cluster. (note: RAL traffic cant be pushed through a reverse proxy by design because all URI's are the same regardless of the server component being contacted.. weird design!).
So, in this scenario, with client auth enabled on AppTarget as described, any RAL requests would need to authenticate with a client certificate. So, you would be right to think this would already be taken care of by the fact that NodeDefaultKeyStore contains everything the RAL needs. However, you would be wrong.. it turns out that RAL uses CAcerts for this, and therefore, when you tried to get into about a running process (ir tried to start a new process for that matter) the request would fail.
I'm sure there's a way to force WAS to use the right keystores and truststores... but until I or someone else works out what is is.... you can copy the relevant keypairs around using the ikeycmd commands below
$WAS_HOME/java/jre/bin/ikeycmd -cert -export -label default -type pkcs12
-db $WAS_HOME/profiles/<profile>/config/cells/<cell>/nodes/<node>/key.p12
-pw <password> -target_pw <target password> -target_type jks -target
$WAS_HOME/java/jre/lib/security/cacerts
No comments:
Post a Comment