DX Application Performance Management

DataPower Agent - using a separate cacerts file

  • 1.  DataPower Agent - using a separate cacerts file

    Posted 01-26-2018 07:38 AM

    This is an extension of the start/stop/status script:

    https://communities.ca.com/thread/241791052-datapower-agent-how-to-stop

     

    So, ran into a problem.  The default instructions of the DataPower agent has a script that installs the communication SSL certificate into the system Java Key Store (JKS <cacerts>).  This file is typically only accessible by the system admins and they frown on accepting more responsibilities, especially in context of having to manage certificates within the system cacerts file.

     

    I contacted CA Support (00939937) and they suggested using:

     

    "Please edit DatapowerMonitor.cmd/sh and add -Djavax.net.ssl.trustStore="Custom path" as below

    %JAVACMD% %JAVA_OPTS% -Djavax.net.ssl.trustStore="C:\apm-dev\jdks\jdk1.8.0_05\jre\lib\security\cacerts" -Xms20m -Xmx4096m -Dcom.wily.introscope.agentProfile=../config/datapower.properties -classpath %CLASSPATH% -Dapp.name="DatapowerMonitor" -Dapp.repo="%REPO%" -Dapp.home="%BASEDIR%" -Dbasedir="%BASEDIR%" com.wily.field.dpmon.DataPowerMonitor -c ../config/DatapowerMonitor-config.xml %CMD_LINE_ARGS%"

     

    Went on a mission to create a cacert file, load the required certificates using InstallCerts.sh, get the cacert file argument set up and get it working.

    Create a cacert file

       keytool -genkeypair -keystore cacerts -storepass changeit

     

    Delete the dummy certificate from the cacert file

        keytool -delete -keystore cacerts -storepass changeit -alias mykey

     

    You can use the keytool -keystore ./cacert -list -v to see that the cacerts file is empty

    I created a cacert file for each agent so if something goes wrong, it would only impact a single agent and not every agent using the cacert file.  With that, I created the cacert file in the <datapower agent>/bin directory.

     

    Issue the ./InstallCerts.sh <host>:<port> ./cacerts

     

    Then in the DPACtrl.sh file I added the argument to the java command line

       -Djavax.net.ssl.trustStore="./cacerts"

     

    Then, get the agent configured and start it up.  Well for me it was more so request user accounts, grant the user access to the datapower interface, request network access from the agent host to the datapower host, ask the datapower admin for all of the connection details, host/port/domain/environment, get everything in source control, make a deployment process, test the deployment process, have everything reviewed, schedule the deploy, get the deploy done and hope you got everything in place so when it is started it works in the non-production environment, and lastly, schedule the production deploy.

     

     

    Hope this helps,

     

    Billy