Using Custom Keystores and Certificates

  • 7022799
  • 29-Mar-2018
  • 22-Sep-2020

Environment

Verastream Host Integrator 7.7 Service Pack 1

Situation

This article extends information presented in Verastream Host Integrator documentation. Updated "bouncy castle" security components included with Verastream Host Integrator 7.7 Service Pack 1 require a different procedure for keystore management than previously documented. 

Resolution

To use a CA-signed certificate in Host Integrator Web services

NOTE: These steps add your certificate to the Web Server default keystore (servletcontainer.bcfks) with default keystore password (not-secure). To configure VHI Web Server to use a different keystore password and/or destination keystore, see KB 7024812.

1. First use Windows Certificate Manager "certmgr.msc" to export the certificate to .pfx format. When exporting you MUST use "not-secure" as the password.

2. List the certificate to get the certificate alias:

C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool -v -list -storetype pkcs12 -keystore FULL_PATH_AND_NAME_OF_YOUR_CERT.PFX

The alias will be a GUID that looks like this: {79a88f65-b59e-4615-a5a4-338ea1a74906}

3. Import the certificate into the Java keystore for the VHI session server...run this command "as administrator" (this example command is all one line):

"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -importkeystore -srcalias YOUR_CERT_ALAIS -srckeystore FULL_PATH_AND_NAME_OF_YOUR_CERT.PFX -srcstoretype pkcs12 -destkeystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\sesssrvr\etc\server.bcfks" -destalias server-container -deststoretype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -deststorepass not-secure -destkeypass not-secure

NOTE: answer “YES” to when prompted to overwrite.

4. Optionally, list the keystore for the VHI sesssvr to verify the certificate was added:

"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -list -keystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\sesssrvr\etc\server.bcfks" -v -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -storepass not-secure

5. Restart the Verastream Host Integrator Session Server.

To use a CA-signed certificate in the Host Integrator Web server

NOTE: These steps add your certificate to the Session Server default keystore (server.bcfks) with default keystore password (not-secure). To configure VHI Session Server to use a different keystore password and/or destination keystore, see KB 7024832.

Note: steps 1 and 2 above must be completed first.

3. Import the certificate into the Java keystore for the VHI web server...run this command "as administrator" (this example command is all one line):

"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -importkeystore -srcalias YOUR_CERT_ALAIS -srckeystore FULL_PATH_AND_NAME_OF_YOUR_CERT.PFX -srcstoretype pkcs12 -destkeystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\servletengine\etc\servletcontainer.bcfks" -destalias servlet-engine -deststoretype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -deststorepass not-secure -destkeypass not-secure

NOTE: answer “YES” to when prompted to overwrite.

4. Optionally, list the keystore for the VHI servlet engine to verify the certificate was added:

"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -list -keystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\servletengine\etc\servletcontainer.bcfks" -v -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -storepass not-secure

5. Restart the Verastream Host Integrator Web Server.