bwcole

DataPower Agent - using a separate cacerts file

Discussion created by bwcole on Jan 26, 2018

This is an extension of the start/stop/status script:

https://communities.ca.com/thread/241791052-datapower-agent-how-to-stop

 

So, ran into a problem.  The default instructions of the DataPower agent has a script that installs the communication SSL certificate into the system Java Key Store (JKS <cacerts>).  This file is typically only accessible by the system admins and they frown on accepting more responsibilities, especially in context of having to manage certificates within the system cacerts file.

 

I contacted CA Support (00939937) and they suggested using:

 

"Please edit DatapowerMonitor.cmd/sh and add -Djavax.net.ssl.trustStore="Custom path" as below

%JAVACMD% %JAVA_OPTS% -Djavax.net.ssl.trustStore="C:\apm-dev\jdks\jdk1.8.0_05\jre\lib\security\cacerts" -Xms20m -Xmx4096m -Dcom.wily.introscope.agentProfile=../config/datapower.properties -classpath %CLASSPATH% -Dapp.name="DatapowerMonitor" -Dapp.repo="%REPO%" -Dapp.home="%BASEDIR%" -Dbasedir="%BASEDIR%" com.wily.field.dpmon.DataPowerMonitor -c ../config/DatapowerMonitor-config.xml %CMD_LINE_ARGS%"

 

Went on a mission to create a cacert file, load the required certificates using InstallCerts.sh, get the cacert file argument set up and get it working.

Create a cacert file

   keytool -genkeypair -keystore cacerts -storepass changeit

 

Delete the dummy certificate from the cacert file

    keytool -delete -keystore cacerts -storepass changeit -alias mykey

 

You can use the keytool -keystore ./cacert -list -v to see that the cacerts file is empty

I created a cacert file for each agent so if something goes wrong, it would only impact a single agent and not every agent using the cacert file.  With that, I created the cacert file in the <datapower agent>/bin directory.

 

Issue the ./InstallCerts.sh <host>:<port> ./cacerts

 

Then in the DPACtrl.sh file I added the argument to the java command line

   -Djavax.net.ssl.trustStore="./cacerts"

 

Then, get the agent configured and start it up.  Well for me it was more so request user accounts, grant the user access to the datapower interface, request network access from the agent host to the datapower host, ask the datapower admin for all of the connection details, host/port/domain/environment, get everything in source control, make a deployment process, test the deployment process, have everything reviewed, schedule the deploy, get the deploy done and hope you got everything in place so when it is started it works in the non-production environment, and lastly, schedule the production deploy.

 

 

Hope this helps,

 

Billy

Outcomes