Using Custom Keystores and Certificates
When Host Integrator is installed it generates and stores a key and certificate in a keystore for secure access to the Host Integrator session server and Web server.
- HTTPS to Host Integrator Web services -
- HTTPS to the Host Integrator Web server that runs applications generated by Web Builder -
To resolve browser/client certificate security warnings, if you do not want to trust the self-signed certificates, you can provide custom keystores and CA-signed security certificates.
The key and certificate chain provided by your Certificate Authority (CA) must use FIPS validated algorithms and strengths.
To use a CA-signed certificate in Host Integrator Web services
The SOAP stack uses the certificate for authenticating itself to HTTPS clients.
- The key and certificate chain provided by your CA must be in a keystore in either BCFKS format or a PKCS12 format with strong encryption (PBE-SHA1-3DES). Rename the file server.bcfks and copy it over the existing server.bcfks file in folder %VHI_ROOT%/sesssrvr/etc.
Locate the Java keytool.exe utility in the following directory:
C:\Program Files\Micro Focus\Verastream\java\bin
Run keytool with an appropriate command line, including the following parameters:
-importcertto store the certificate in the keystore
-keystoreto specify the server.bcfks file name, including path from step 1 above
storetype bcfksto specify the keystore type
alias server-containerto specify the alias used inside the keystore
When prompted for a password enter
not-secure. Both the key and keystore must use that password.
- Restart the session server.
For more information on using the Java keytool, see the Oracle documentation.
To use a CA-signed certificate in the Host Integrator Web server
This certificate is used for HTTPS to the Host Integrator Web server.
- The key and certificate chain provided by your CA must be in a keystore in BCFKS format.
- The password for the key and for the keystore must be the same.
%VHI_ROOT%/servletengine/conf/container.propertiesfile and add the following three lines:
servletengine.ssl.keystore=full path to keystore
servletengine.ssl.keystoretype=format name of keystore,, either BCFKS or PKCS12
servletengine.ssl.keystorepassword=password for the keystore file you specified
- Restart the Web server.