Configuring VHI Web Server with CA Signed Certificate in Customized Keystore

  • 7024812
  • 11-Sep-2020
  • 22-Sep-2020

Environment

Verastream Host Integrator 7.7 and later
Windows operating system
Linux operating system

Situation

Verastream Host Integrator default install uses a self-signed certificate in the web server keystore. A customer may want to change the certificate to an internal or public signed CA.

These instructions cover the steps required to convert a PKCS12 keystore to a Bouncy Castle keystore and configure it so Verastream Host Integrator can use the new keystore.

Resolution

Requirements:

The keystore that will be used is a PKCS12 keystore and has already been created with all necessary CAs imported into the keystore.

The keystore and private key need to have the same password.

A copy of the root CA public cert that is used to sign the new cert a file on disk.

KeyStore Explorer 5.4.3 or later - https://keystore-explorer.org/downloads.html

OpenJDK 14 or later - https://jdk.java.net/14/

Guidelines:

It is best to install KeyStore Explorer and modify the keystore on the workstation or server where you plan to run Verastream Host Integrator (VHI). If that is not possible KeyStore Explorer can be installed on another workstation and the keystore can be copied to the VHI server.

Modifying the VHI Session Server to use a custom configuration:

1. Stop the VHI Web Server.

2. Install KeyStore Explorer 5.4.3 or later.

3. Extract the JDK 14 to a directory.

4. Create a directory called “jreâ€.

5. Copy the contents (bin, conf, include, jmods, legal, and lib) of the extracted JDK to the “jre†directory.

6. Copy the “jre†directory to the root directory of KeyStore Explorer.

7. Create a working directory on your machine to modify the keystore.

8. Copy the PKCS12 keystore that will be used by the webservr into the working directory.

9. Run KeyStore Explorer.

10. Open the PKCS12 keystore.

11. Enter the keystore password and select “OKâ€.

12. Select ‘Tools/Change KeyStore Type/BCFKS’.

13. Enter the keystore password and select “OKâ€.

14. Select ‘File/Save As’.

15. Enter the keystore filename you would like to use (e.g. vhiws.bcfks), but use an extension of .bcfks. Do not save the keystore with the filename of “seveletcontainer.bcfksâ€.

16. Select “save†to save the file.

17. You are now working in the keystore of type BCFKS with extension of .bcfks.

18. Right click on the keypair entry and select “Renameâ€. You may receive a password request for the keypair. Enter the password and select OK.

19. Enter the name “servlet-engine†and select “OKâ€.

20. Select ‘File/Save’ to save the keystore.

21. Select ‘Tools/Import Trusted Certificate’.

22. Browse to the location where the root CA certificate file is stored and select the certificate and then “Openâ€.  You may receive a password request for the keystore. Enter the password and select OK.

23. Enter the alias of “trust-anchor†on the next screen and then click “OK†and “OK†again to dismiss the successful import dialog.

24. Your keystore should now look like this:

25. Save the keystore.

26. Copy the new keystore to the %VHI_HOME%/HostIntegrator/servletengine/etc directory).

27. Change directory to the %VHI_HOME%/HostIntegrator/servletengine/conf directory.

28. Backup the file “container.properties†by copying it to another directory.

29. Edit the “container.properties†in the “conf†directory.

30. Add the following three lines to the end of the file:

servletengine.ssl.keystore=../etc/vhiws.bcfks
servletengine.ssl.keystoretype=BCFKS
servletengine.ssl.keystorepassword=YourPasswordHere

Note: If you want the password obfuscated you will need to follow the Jetty instructions here: https://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html

31. Save the file.

32. Start the VHI Session Server and test to your application.

Additional Information

For configuring VHI Session Server, see KB 7024832.