Creating and using new certificates in Tivoli Directory Integrator.

The default certificates shipped with TDI, namely, serverapi/testadmin.jks and  testserver.jks have well known passwords. In a production environment, it is recommended that we don't use these.
Using ikeyman tool, you could generate new certificates and stores with non-standard password. Use these passwords and files in the solution.properties file, so that SDI can start using them.

1) Generate new keystores and certificates:

Create a bash script and execute it. This creates 4 files namely: sdi_server.jks,sdi_server.der,sdi_admin.jks,sdi_admin.der . The passwords for jks files is "mypassword".

CERTPASSWORD=mypassword
echo "Creating sdi_admin.jks and sdi_admin.der files.."
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -keydb -create -type jks -pw $CERTPASSWORD -db sdi_admin.jks
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -create -db sdi_admin.jks -label admin -size 2048 -expire 7300 -dn "CN=API Admin, OU=test, O=test, L=test, ST=test, C=IN" -pw $CERTPASSWORD
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -list  -db sdi_admin.jks -pw $CERTPASSWORD
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -extract  -db sdi_admin.jks -label admin -pw $CERTPASSWORD -target sdi_admin.der

echo "Creating sdi_server.jks and sdi_server.der files.."
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -keydb -create -type jks -pw $CERTPASSWORD -db sdi_server.jks
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -create -db sdi_server.jks -label server -size 2048 -expire 7300 -dn "CN=API Admin, OU=test, O=test, L=test, ST=test, C=IN" -pw $CERTPASSWORD
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -list  -db sdi_server.jks -pw $CERTPASSWORD
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -extract -db sdi_server.jks -label server -pw $CERTPASSWORD -target sdi_server.der

echo "Importing admin and server certificates into sdi_server.jks and sdi_admin.jks respectively"
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -add -db sdi_server.jks -pw $CERTPASSWORD -label admin -file sdi_admin.der
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -list  -db sdi_server.jks -pw $CERTPASSWORD
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -add -db sdi_admin.jks -pw $CERTPASSWORD -label server -file sdi_server.der
/opt/IBM/TDI/V7.2/jvm/jre/bin/ikeycmd -cert -list  -db sdi_admin.jks -pw $CERTPASSWORD

2) Copy the files generated in step 1 to following locations:

/opt/IBM/TDI/V7.2/sdi_server.jks

/opt/IBM/TDI/V7.2/sdi_server.der

/opt/IBM/TDI/V7.2/serverapi/sdi_admin.jks

/opt/IBM/TDI/V7.2/serverapi/sdi_admin.der

3) Modify the following lines in solution.properties (ensure you backup your original)

[root@localhost certs]# cat solution.properties | grep mypassword

{protect}-javax.net.ssl.trustStorePassword=mypassword

{protect}-javax.net.ssl.keyStorePassword=mypassword

{protect}-api.keystore.password=mypassword

{protect}-api.key.password=mypassword

{protect}-api.truststore.pass=mypassword

{protect}-api.client.key.pass=mypassword

{protect}-api.client.truststore.pass=mypassword

[root@localhost certs]# cat solution.properties | grep sdi_admin

javax.net.ssl.trustStore=serverapi/sdi_admin.jks

javax.net.ssl.keyStore=serverapi/sdi_admin.jks

api.client.keystore=serverapi/sdi_admin.jks

api.client.truststore=serverapi/sdi_admin.jks

[root@localhost certs]# cat solution.properties | grep sdi_server

api.keystore=sdi_server.jks

com.ibm.di.server.encryption.keystore=sdi_server.jks

api.truststore=sdi_server.jks

4) Create a stash file for enabling server to use the new jks password (backup the original idisrv.sth before you run the command)

cd /opt/IBM/TDI/V7.2

bin/createstash.sh mypassword

This will create /opt/IBM/TDI/V7.2/idisrv.sth