The keystore that will be used is a PKCS12 keystore and has already been created with all necessary CAs imported into the keystore.
The keystore and private key need to have the same password.
A copy of the root CA public cert that is used to sign the new cert a file on disk.
KeyStore Explorer 5.4.3 or later - https://keystore-explorer.org/downloads.html
OpenJDK 14 or later - https://jdk.java.net/14/
It is best to install KeyStore Explorer and modify the keystore on the workstation or server where you plan to run Verastream Host Integrator (VHI). If that is not possible KeyStore Explorer can be installed on another workstation and the keystore can be copied to the VHI server.
Modifying the VHI Session Server to use a custom configuration:
1. Stop the VHI Web Server.
2. Install KeyStore Explorer 5.4.3 or later.
3. Extract the JDK 14 to a directory.
4. Create a directory called ājreā.
5. Copy the contents (bin, conf, include, jmods, legal, and lib) of the extracted JDK to the ājreā directory.
6. Copy the ājreā directory to the root directory of KeyStore Explorer.
7. Create a working directory on your machine to modify the keystore.
8. Copy the PKCS12 keystore that will be used by the webservr into the working directory.
9. Run KeyStore Explorer.
10. Open the PKCS12 keystore.
11. Enter the keystore password and select āOKā.
12. Select āTools/Change KeyStore Type/BCFKSā.
13. Enter the keystore password and select āOKā.
14. Select āFile/Save Asā.
15. Enter the keystore filename you would like to use (e.g. vhiws.bcfks), but use an extension of .bcfks. Do not save the keystore with the filename of āseveletcontainer.bcfksā.
16. Select āsaveā to save the file.
17. You are now working in the keystore of type BCFKS with extension of .bcfks.
18. Right click on the keypair entry and select āRenameā. You may receive a password request for the keypair. Enter the password and select OK.
19. Enter the name āservlet-engineā and select āOKā.
20. Select āFile/Saveā to save the keystore.
21. Select āTools/Import Trusted Certificateā.
22. Browse to the location where the root CA certificate file is stored and select the certificate and then āOpenā. You may receive a password request for the keystore. Enter the password and select OK.
23. Enter the alias of ātrust-anchorā on the next screen and then click āOKā and āOKā again to dismiss the successful import dialog.
24. Your keystore should now look like this:
25. Save the keystore.
26. Copy the new keystore to the %VHI_HOME%/HostIntegrator/servletengine/etc directory).
27. Change directory to the %VHI_HOME%/HostIntegrator/servletengine/conf directory.
28. Backup the file ācontainer.propertiesā by copying it to another directory.
29. Edit the ācontainer.propertiesā in the āconfā directory.
30. Add the following three lines to the end of the file:servletengine.ssl.keystore=../etc/vhiws.bcfks
Note: If you want the password obfuscated you will need to follow the Jetty instructions here: https://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
31. Save the file.
32. Start the VHI Session Server and test to your application.