Preparing to Replace the Default Keystore and Truststore
Use a key and certificate management tool to generate the custom keys and certificates for
Command Central. For example, you can use keytool and follow the instructions in
How do I generate keystores and certificates for Command Central to generate the key and certificate files. For details about keytool, see the Java SE documentation in the Oracle Help Center. Make sure that you generate and store the certificates in a secure directory.
Command Central does not have any special naming requirements for the file names of the generated keys and certificates. The following are some file naming suggestions that you could use:
For the
Command Central server keys/certificates, you can use the server hostname or IP address.
For the
Platform Manager keys/certificates, you can use the node alias.
For the client truststores, you can choose any meaningful name.
To generate self-signed certificates, with the certificate management tool create the following files:
The certified authority (CA) root key, for example
ccroot.jksThe CA certificate to import into a truststore or in a browser CA list, for example
ccroot.cerA server key for the
Command Central server and for each
Platform Manager node that
Command Central manages, for example
ccnode.jks and
spmnode.jksImport the generated certificates into the client truststores:
For the
Command Central web user interface, import
ccroot.cer and
spm*.cer (that is the certificates for each
Platform Manager node managed by
Command Central) into the
cce-truststore.jks.
For the
Command Central CLI, import
ccroot.cer and
cc*.cer into the
cli-truststore.jks.
Copy the keystore and truststore files to a secure directory with controlled user access:
On the machine that hosts
Command Central (and the local
Platform Manager)
On each machine with a
Platform Manager installation that
Command Central manages