Skip to content

Stores Used by the Session Server

Identity certificates

As a convenience, the identity certificates for each type of server are available at the following locations, outside of their respective keystores mentioned below.

  • HACloud session server certificate - HACloud/sessionserver/etc/<computer-name>.cer

  • MSS certificate - MSS/server/etc/<computer-name>.cer

Session server keystore and truststore

The keystore and truststore used by the session server are described in the table below.

  • Location: HACloud/sessionserver/etc/

  • Type: bcfks (Bouncy Castle FIPS keystore)

  • Default password: changeit

Keystore Function
keystore.bcfks
  • Credential store for incoming TLS connections
  • Contains the certificate served up by the session server
  • Used for embedded web server (Jetty)
  • Created at start up
trustcerts.bcfks
  • Trust store for outgoing TLS connections
  • Used to verify the servers the session server connects to, such as MSS
  • Trust store for verifying incoming load balancer connections when using X.509 authentication through a load balancer
  • Created at start up

note

Trust for host emulation connections is managed by MSS. See Make a secure emulation connection to a trusted host

To change a keystore or truststore password

In HACloud/sessionserver/conf/container.properties, update these settings:

  • server.ssl.key-store-password

  • server.ssl.trust-store-password

For security reasons it is best to use an obfuscated password. To generate one, run the following command from the HACloud/sessionserver directory:

../java/jre/bin/java -cp ./lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password passwordToObfuscate