Versions Compared

Old Version 44

changes.mady.by.user John McKeever

Saved on

compared with

New Version 45

changes.mady.by.user John McKeever

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For example, this command creates a keystore called workbench.p12 in the MettleCI home directory for use with workbench currently accessed at URL http://my-engine.datamigrators.com:8080:

Expand
titleWindows

This example generates a key with a 365-day validity.

Code Block
languagebash
C:\> keytool -genkey -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12
-storepass changeit -storetype PKCS12 -keysize 2048
-sigalg SHA256withRSA -dname "CN=engine.datamigrators.com"
-ext san=dns:engine.datamigrators.com
-validity 365

Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
  [Unknown]:  Peter Parker
What is the name of your organizational unit?
  [Unknown]:  MettleCI
What is the name of your organization?
  [Unknown]:  Data Migrators
What is the name of your City or Locality?
  [Unknown]:  Melbourne
What is the name of your State or Province?
  [Unknown]:  Victoria
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=Peter Parker, OU=MettleCI, O=Data Migrators, L=Melbourne, ST=Victoria, C=AU correct?
  [no]:  yes

Enter key password for <workbench>
        (RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore C:dmmciworkbench.p12 -destkeystore C:dmmciworkbench.p12 -deststoretype pkcs12".
C:\>
Info

Note that in the example above you must ensure that both instances of engine.datamigrators.com is replaced with the domain name of your DataStage engine, which you can get from the Workbench URL (e.g. mydsengine.acmesandwichmakers.com).

You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example.

Code Block
keytool -list -v -keystore C:\dm\mci\workbench.p12 -storetype PKCS12
Enter keystore password: ********

If you need to export your certificate for signing you can use a command like the following:

Code Block
keytool -certreq -keyalg RSA -alias workbench -keystore C:\dm\mci\workbench.p12
-storepass changeit -sigalg SHA256withRSA -file C:\dm\mci\workbench.csr
Expand
titleUnix

This example generates a key with a 365-day validity.

Code Block
languagebash
$> keytool -genkey -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 \
-storepass changeit -storetype PKCS12 -keysize 2048 \
-sigalg SHA256withRSA -dname "CN=engine.datamigrators.com" \
-ext san=dns:engine.datamigrators.com \
-validity 365

Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
  [Unknown]:  Peter Parker
What is the name of your organizational unit?
  [Unknown]:  MettleCI
What is the name of your organization?
  [Unknown]:  Data Migrators
What is the name of your City or Locality?
  [Unknown]:  Melbourne
What is the name of your State or Province?
  [Unknown]:  Victoria
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=Peter Parker, OU=MettleCI, O=Data Migrators, L=Melbourne, ST=Victoria, C=AU correct?
  [no]:  yes

Enter key password for <workbench>
        (RETURN if same as keystore password):

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore C:dmmciworkbench.p12 -destkeystore C:dmmciworkbench.p12 -deststoretype pkcs12".
$>
Info

Note that in the example above you must ensure that both instances of engine.datamigrators.com is replaced with the domain name of your DataStage engine, which you can get from the Workbench URL (e.g. mydsengine.acmesandwichmakers.com).

Ensure that your keystore has at least 644 (rw-r--r--) privileges.

Ensure that your keystore is owned by mciworkb:dstage.

You can verify your keystore by listing the certificates within it. You’ll need to re-enter your keystore password, which is 'changeit' (no quotes) in our example above.

Code Block
languagebash
keytool -list -v -keystore /opt/dm/mci/workbench.p12 -storetype PKCS12
Enter keystore password: ********

If you need to export your certificate for signing you can use a command like the following:

Code Block
keytool -certreq -keyalg RSA -alias workbench -keystore /opt/dm/mci/workbench.p12 -storepass changeit \
-sigalg SHA256withRSA -file /opt/dm/mci/workbench.csr

Note that with the exception of keytool -list the keytool command will not normally return a value to the console.

Regenerating keys

If you want to regenerate your keystore certificate for any reason (i.e. it has expired) you can use the following command:

...