Configuring a Keystore - ironstream_for_elastic - ironstream_for_kafka - ironstream_for_splunk - 7.4

Ironstream for Splunk®/Kafka®/Elastic® for IBM i Ironstream Integration Components Administration

Product type
Software
Portfolio
Integrate
Product family
Ironstream
Product
Ironstream > Ironstream for Splunk®
Ironstream > Ironstream for Kafka®
Ironstream > Ironstream for Elastic®
Version
7.4
Language
English
Product name
Ironstream Splunk®/Kafka®/Elastic®
Title
Ironstream for Splunk®/Kafka®/Elastic® for IBM i Ironstream Integration Components Administration
Copyright
2022
First publish date
2007
Last updated
2023-08-25
Published on
2023-08-28T08:26:48.055356

Before beginning these steps, ensure that both OpenSSL and Java SE are installed.

A keystore is a repository of the keys required by the broker. A keystore must be created for the Ironstream Proxy Server and trusted by the broker.

The keystore must be in the PKCS12 format and contain:

  • The certificate authority certificate configured for the broker.

  • A certificate signed by that certificate authority.

  • The private key for that certificate.

As described in the Kafka documentation, a keystore can be created by running this command:

keytool -keystore kafka.client.keystore.jks -alias localhost -keyalg RSA

-genkey

Follow the prompts and create the keystore. When prompted for the Common Name, enter the fully-qualified domain name of the Windows/Linux system. (On some systems, the prompt may ask for First and Last name of the administrator.)

Once this command has been run, this command will need to be run to make sure it is in the PKCS12 format.

keytool -importkeystore -srckeystore kafka.client.keystore.jks -destkeystore kafka. client.keystore.jks -deststoretype pkcs12

From the newly-created keystore, a certificate signing request (CSR) should be created with this command:

keytool -keystore kafka.client.keystore.jks -alias localhost -certreq -file

cert-file

This CSR should then be signed by the certificate authority created when configuring Kafka for TLS. This can be done with this command:

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed

-days valid-days -CAcreateserial -passin pass:ca-password

Import both the certificate of the CA and the signed certificate into the keystore:

keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert

keytool -keystore kafka.client.keystore.jks -alias localhost -import -file cert-signed