Skip to content

Trusted Certificates

The Certificate Store contains the certificates that are trusted by the terminal emulator client and the Management and Security Server.

Note

When using Clustering, any changes made to the certificate stores (+IMPORT or DELETE certificates) will be replicated to the other MSS servers in the cluster. You do not need to repeat the process on each MSS server.

Select Terminal Emulator Clients or Management and Security Server to filter the view of trusted certificates.

Certificate Store - Terminal Emulator Clients

Clients that make a TLS connection to a host or Security Proxy must trust the host or proxy certificate. This panel presents a list of root certificates trusted by the terminal emulator applet.

The table lists the certificates that have been imported to the terminal emulator applet's trusted list. To view details about the certificate, click the certificate's Friendly name.

To add a client certificate to the MSS trust store:

  1. With Terminal Emulator Clients selected, click +IMPORT.

  2. Click UPLOAD. Select the file containing the certificate to upload to the MSS Administrative Server.

  3. Enter the Keystore file name, Keystore password, and Friendly name.

  4. Click IMPORT to add the certificate.

  5. Restart the MSS Administrative Server.

See Trusted Root Certificate Authorities (collapsed by default).

Certificate Store - Management and Security Server

This collection of certificates includes CA certificates used to authenticate X.509 clients and to establish other servers as known and trusted to the Management and Security Server. To view details, click the certificate's Friendly name.

This collection is used for the following features:

  • X.509 with Fallback to LDAP authentication: Add CA certificate(s) needed to authenticate end-user certificates, such as a certificate stored on a smart card.

    For these features, certificates are added to establish the other server as known and trusted.

  • Automated Sign-On for Mainframe: Add a certificate(s) to establish trust of a Mainframe host.

  • Micro Focus Advanced Authentication (MFAA): Add certificate(s) to trust the MFAA host.

Server certificates from other servers should be included in this certificate collection.

To add a server certificate to the MSS trust store:

  1. With Management and Security Server selected, click +IMPORT.

  2. Click UPLOAD. Select the file containing the certificate to upload to the MSS Administrative Server.

  3. Enter the Keystore file name, Keystore password, and Friendly name.

  4. Click IMPORT to add the certificate.

  5. Restart the MSS Administrative Server.

Important

When X.509 with Fallback to LDAP authentication is used in conjunction with other MSS features that also use the certificates in this collection (such as Automated Sign-On for Mainframe), use caution to ensure that trust is not inadvertently broadened and granted to unintended end-user clients.

See Trusted Root Certificate Authorities (collapsed by default).

Certificate Store - Trusted Sub-System

This collection of certificates includes certificates used to establish other servers as known and trusted to the Management and Security Server. To view details, click the certificate's Friendly name.

This collection is used for these features:

  • Clustering: Add certificate(s) to trust other MSS servers in a cluster.

  • X.509 authentication for Host Access for the Cloud (HACloud): Add session server certificate(s) to establish trust between MSS and HACloud.

To add a server certificate to the MSS trust store:

  1. With Trusted Sub-System selected, click +IMPORT.

  2. Click UPLOAD to select the file containing the certificate to upload to MSS Administrative Server.

  3. Enter the Keystore file name, Keystore password, and Friendly name.

  4. Click IMPORT to add the certificate.

  5. Restart the MSS Administrative Server.

See Trusted Root Certificate Authorities (collapsed by default).

Trusted Root Certificate Authorities

This table is collapsed by default on the Trusted Certificates panel. The table lists the set of commonly used root certificates in Management and Security Server. To view details about a root certificate, click its Friendly Name.

If a trusted CA root certificate expires or is compromised, you may need an update.

Note

If certificate changes are needed by Windows-based clients to perform X.509 authentication, you must restart the Management and Security Server for the changes to take effect.