Steps for creating SSL certificates to be used on a Combo GridServer Manager (Director + Broker)

1. Create a temporary directory (such as /opt/mycerts) and execute the following commands within it.
2. Copy the cacerts file from the JDK to the file ssl.keystore:

cp $JAVA_HOME/jre/lib/security/cacerts ssl.keystore

If you have a signed certificate:

a) If your certificate is from a well-known CA whose root certificate is already in $JAVA_HOME/jre/lib/security/cacerts, it will be in ssl.keystore.
 

If it is not, add your CA’s root certificate to the ssl.keystore:
keytool -importcert -file CA_ROOT.crt -keystore ssl.keystore -alias CA_ROOT

b) If you have a signed certificate .pem file and the private .key file that was used to generate the certificate request, copy or rename them to server.crt and server.key respectively.

If you do not have a signed certificate, create server.key and server.crt:
openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout server.key -out server.crt

Import the new certificate (server.crt) into ssl.keystore:
keytool -importcert -file server.crt  -keystore ssl.keystore -alias MySelfSigned -storepass changeit

3. Create a PKCS #12 format file that contains your keypair:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
4. Convert it to a JKS format keystore:

keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit

NOTE: '-srcstorepass' is the same password that was used to create the PKCS #12 format file in the previous step. The '-deststorepass' parameter is optional. If not specified, it will default to the same password as '-srcstorepass'

5. Copy the server.crt file to ssl.pem:
cp server.crt ssl.pem
6. Copy the files below to the GridServer Manager (GS_HOME referenced below refers to the GridServer installation directory):
cp server.crt server.key ssl.keystore server.keystore GS_HOME/manager-data/certs
cp ssl.keystore ssl.pem GS_HOME/manager-data/engineUpdate/shared
7. Edit the GS_HOME/manager-data/conf/server.xml file:

Comment out or remove the two connector elements for ports 8000 and 8080.
Uncomment the two connectors for ports 8443 and 8043.
Add SSLPassword="changeit" (or your keystore password value) to the 8043 and 8443 connectors.

8. If already installed, stop your Manager, open the GS_HOME/manager: data/conf/installation.properties file, and set DSConfigureOnStartup=true
9. Start the Manager, and perform a Manager Install. On the Local Configuration step, you will see your new HTTPS values. Make sure to enable SSL. Complete the install and restart the Manager.

Steps for enabling SSL on GridServer Engines:

Note: If Engines are already running, stop them before performing the steps below:

1. Untar the Engine installer.
2. a) If you are configuring a grid that has a Primary Director and Broker, copy the Broker's ssl.keystore and ssl.pem to the dataysnapse/engine folder.

b) If you are configuring a grid with a Primary Director→Secondary Director→Standalone Broker→Failover Broker, copy the ssl.keystore and ssl.pem created on the failover Broker to the dataysnapse/engine folder.
3. Configure the Engine using the below command:
./configure.sh -s director_hostname:8043 -l y
4. Start the Engines

Note: To enable SSL for any existing Engine installation, stop the Engine, delete the ‘data’ and ‘profile’ directories (please make sure to make a backup), copy the files as pointed out in GridServer documentation at the location highlighted, configure the Engines with the  –l option, and start the Engine.

Additional notes & references:

• Set SSL properties as True in the GridServer Administration Tool while configuring the Director and Broker.
• For configuring SSL on GridServer 5 versions, the directory structure will be different from GridServer 6. GridServer 5 does not have GS_HOME and DS_MANAGER named webapps/livecluster, and is referred to as DS_DATA. For example on Windows systems, the default data directory is C:\tibco\datasynapse\manager\webapps\livecluster. Certs folder location for GridServer 5 versions will be  $DS_Manager/webapps/livecluster/certs.