Summary
Question
Use the procedure below to renew RTSM certificates on port 8443.
Answer
- Consolidate .cer and .key to .pfx, create .pfx file, PKCS12 container, openssl location is: [HPBSM home dir]\WebServer\bin, all passwords should be "hppass"
openssl pkcs12 -export -in "C:\svlbsmgw01.cer" -inkey "C:\svlbsmgw01.key" -out "C:\svlbsmgw01.pfx"
- Convert .pfx you already have to jks server.keystore, keytool location is: [HPBSM home dir]\JRE\bin, all passwords should be "hppass"
keytool -importkeystore -srckeystore "C:\svlbsmgw01.pfx" -srcstoretype PKCS12 -deststoretype JKS -destkeystore c:\server.keystore
You should get the following output:
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias "1" successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
- Now we need to change the alias name "1" to "hpcert"
keytool -changealias -keystore c:\server.keystore -alias 1 -destalias hpcert
3. a. Optional, if the original password of private key was different then hppass: keytool -keypasswd -keystore my.keystore -alias my_name
- Run the following in order to verify the alias name:
keytool -v -list -keystore c:\server.keystore
You should get the following output:
C:\HPBSM\JRE\bin>keytool -v -list -keystore c:\server.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: hpcert
Creation date: Feb 17, 2016
Entry type: PrivateKeyEntry
- Import Root CA certificate to RTSM server.truststore
keytool.exe -importcert -file c:\BSM-GW-rootcert.cer –keystore [HPBSM home dir]\odb\conf\security\server.truststore" -storepass hppass
- Stop BSM.
- Go to [HPBSM home dir]\odb\conf\security
- Backup the server.keystore
- Replace old server.keystore with new one that we are created before.
-
Add the following line at the bottom of the java.security files in both:
- [HPBSM home dir]\JRE64\lib\security\java.security
And
- [HPBSM home dir]\JRE\lib\security\java.security
jdk.tls.disabledAlgorithms=MD5, DSA, RC4, SHA1, SSLv3, RSA keySize < 2048
- Start BSM/OMi