Using Custom Keystores and Certificates
When Host Integrator is installed it generates and stores a key and certificate in a keystore for secure access to the Host Integrator session server and Web server.
- HTTPS to Host Integrator Web services -
https://vhiserver:9681
- HTTPS to the Host Integrator Web server that runs applications generated by Web Builder -
https://vhiserver:8443
To resolve browser/client certificate security warnings, if you do not want to trust the self-signed certificates, you can provide custom keystores and CA-signed security certificates.
Note
The key and certificate chain provided by your Certificate Authority (CA) must use FIPS validated algorithms and strengths.
To use a CA-signed certificate in Host Integrator Web services
The SOAP stack uses the certificate for authenticating itself to HTTPS clients.
- The key and certificate chain provided by your CA must be in a keystore in either BCFKS format or a PKCS12 format with strong encryption (PBE-SHA1-3DES). Rename the file server.bcfks and copy it over the existing server.bcfks file in folder %VHI_ROOT%/sesssrvr/etc.
-
Locate the Java keytool.exe utility in the following directory:
-
Windows:
C:\Program Files\RocketSoftware\Verastream\java\bin
-
Linux:
/opt/rocketsoftware/verastream/java/bin
-
Run keytool with an appropriate command line, including the following parameters:
-importcert
to store the certificate in the keystore-keystore
to specify the server.bcfks file name, including path from step 1 abovestoretype bcfks
to specify the keystore typealias server-container
to specify the alias used inside the keystore
-
When prompted for a password enter
not-secure
. Both the key and keystore must use that password. - Restart the session server.
For more information on using the Java keytool, see the Oracle documentation.
To use a CA-signed certificate in the Host Integrator Web server
This certificate is used for HTTPS to the Host Integrator Web server.
- The key and certificate chain provided by your CA must be in a keystore in BCFKS format.
- The password for the key and for the keystore must be the same.
-
Open the
%VHI_ROOT%/servletengine/conf/container.properties
file and add the following three lines:servletengine.ssl.keystore
=full path to keystoreservletengine.ssl.keystoretype
=format name of keystore,, either BCFKS or PKCS12servletengine.ssl.keystorepassword
=password for the keystore file you specified- Restart the Web server.
More information