action.skip

Using Custom Keystores and Certificates

When Host Integrator is installed it generates and stores a key and certificate in a keystore for secure access to the Host Integrator session server and Web server.

  • HTTPS to Host Integrator Web services - https://vhiserver:9681
  • HTTPS to the Host Integrator Web server that runs applications generated by Web Builder - https://vhiserver:8443

To resolve browser/client certificate security warnings, if you do not want to trust the self-signed certificates, you can provide custom keystores and CA-signed security certificates.

Note

The key and certificate chain provided by your Certificate Authority (CA) must use FIPS validated algorithms and strengths.

To use a CA-signed certificate in Host Integrator Web services

The SOAP stack uses the certificate for authenticating itself to HTTPS clients.

  1. The key and certificate chain provided by your CA must be in a keystore in either BCFKS format or a PKCS12 format with strong encryption (PBE-SHA1-3DES). Rename the file server.bcfks and copy it over the existing server.bcfks file in folder %VHI_ROOT%/sesssrvr/etc.
  2. Locate the Java keytool.exe utility in the following directory:

  3. Windows: C:\Program Files\RocketSoftware\Verastream\java\bin

  4. Linux: /opt/rocketsoftware/verastream/java/bin

  5. Run keytool with an appropriate command line, including the following parameters:

    • -importcert to store the certificate in the keystore
    • -keystore to specify the server.bcfks file name, including path from step 1 above
    • storetype bcfks to specify the keystore type
    • alias server-container to specify the alias used inside the keystore
  6. When prompted for a password enter not-secure. Both the key and keystore must use that password.

  7. Restart the session server.

For more information on using the Java keytool, see the Oracle documentation.

To use a CA-signed certificate in the Host Integrator Web server

This certificate is used for HTTPS to the Host Integrator Web server.

  • The key and certificate chain provided by your CA must be in a keystore in BCFKS format.
  • The password for the key and for the keystore must be the same.
  • Open the %VHI_ROOT%/servletengine/conf/container.properties file and add the following three lines:

    • servletengine.ssl.keystore=full path to keystore
    • servletengine.ssl.keystoretype=format name of keystore,, either BCFKS or PKCS12
    • servletengine.ssl.keystorepassword=password for the keystore file you specified
    • Restart the Web server.

More information