Environment
Situation
This
article extends information presented in Verastream Host Integrator documentation. Updated "bouncy castle" security components included with Verastream Host Integrator 7.7 Service Pack 1 require a different procedure for keystore management than previously documented.
Resolution
To use a CA-signed certificate in Host Integrator Web services
NOTE: These steps add your certificate to the Web Server default keystore (servletcontainer.bcfks) with default keystore password (not-secure). To configure VHI Web Server to use a different keystore password and/or destination keystore, see KB 7024812.
1. First use Windows Certificate Manager "certmgr.msc" to export the certificate to .pfx format. When exporting you MUST use "not-secure" as the password.
2. List the certificate to get the certificate alias:
C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool -v -list -storetype pkcs12 -keystore FULL_PATH_AND_NAME_OF_YOUR_CERT.PFX
The alias will be a GUID that looks like this: {79a88f65-b59e-4615-a5a4-338ea1a74906}
3. Import the certificate into the Java keystore for the VHI session server...run this command "as administrator" (this example command is all one line):
"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -importkeystore -srcalias YOUR_CERT_ALAIS -srckeystore FULL_PATH_AND_NAME_OF_YOUR_CERT.PFX -srcstoretype pkcs12 -destkeystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\sesssrvr\etc\server.bcfks" -destalias server-container -deststoretype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -deststorepass not-secure -destkeypass not-secure
NOTE: answer “YES” to when prompted to overwrite.
4. Optionally, list the keystore for the VHI sesssvr to verify the certificate was added:
"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -list -keystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\sesssrvr\etc\server.bcfks" -v -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -storepass not-secure
5. Restart the Verastream Host Integrator Session Server.
To use a CA-signed certificate in the Host Integrator Web server
NOTE: These steps add your certificate to the Session Server default keystore (server.bcfks) with default keystore password (not-secure). To configure VHI Session Server to use a different keystore password and/or destination keystore, see KB 7024832.
Note: steps 1 and 2 above must be completed first.
3. Import the certificate into the Java keystore for the VHI web server...run this command "as administrator" (this example command is all one line):
"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -importkeystore -srcalias YOUR_CERT_ALAIS -srckeystore FULL_PATH_AND_NAME_OF_YOUR_CERT.PFX -srcstoretype pkcs12 -destkeystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\servletengine\etc\servletcontainer.bcfks" -destalias servlet-engine -deststoretype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -deststorepass not-secure -destkeypass not-secure
NOTE: answer “YES” to when prompted to overwrite.
4. Optionally, list the keystore for the VHI servlet engine to verify the certificate was added:
"C:\PROGRA~1\Attachmate\Verastream\java\jdk1.8.0_162-64\bin\keytool" -list -keystore "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\servletengine\etc\servletcontainer.bcfks" -v -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\PROGRA~1\Attachmate\Verastream\HostIntegrator\lib\java\bc-fips-1.0.1.jar" -storepass not-secure
5. Restart the Verastream Host Integrator Web Server.