The SSH Java Certificate Keystore

When TIBCO MFT Command Center is installed, a default SSH keystore is installed. The SFTP transfers will work using this default keystore, or the user can create another keystore.

There are two types of keystores that can be used:

  • DSA keystore uses the DSA key algorithm to create the public/private key pair.
  • RSA keystore uses the RSA key algorithm to create the public/private key pair.
Note:
  • The default SSH keystore uses the DSA key algorithm.
  • DSA is required for SSH operation and that virtually all SSH clients and servers support the DSA key algorithm.
  • Some SSH client or server software does not support the RSA algorithm.
  • If keystores for both DSA and RSA are defined, then the SSH client and server will negotiate to define which SSH key will be used.
The Java keytool utility can be used to create the SSH certificate. Below is the format of the keytool command. When you have created the SSH certificate, you must update the Management > SSH Server > Configure SSH Server web page with the following information:
  • DSA Keystore: specifies the DSA keystore file defined by the keystore parameter.
  • DSA Keystore Password: specifies the DSA keystore password defined by the storepass parameter.
  • Confirm Password: specifies the confirm password which should be the same as the DSA keystore password.
  • DSA Private Key Alias: specifies the DSA alias name created by the alias parameter.
  • RSA Keystore: specifies the RSA keystore file defined by the keystore parameter.
  • RSA Keystore Password: specifies the RSA keystore password defined by the storepass parameter.
  • Confirm Password: specifies the confirm password which should be the same as the RSA keystore password.
  • RSA Private Key Alias: specifies the RSA alias name created by the alias parameter. 
keytool -genkey {-alias alias} [-dname dname] [-keypass keypass]
    {-keystore keystore} [-storepass storepass] [-keyalg dsa]
Note: This command should be typed as a single line.
  • -alias: specifies the unique name for this certificate chain and the private key in this new keystore entry.

    If you do not specify this parameter, a default value of mykey will be assigned.

  • -dname: specifies the X.500 distinguished name to be associated with alias, and is used as the issuer and subject fields in the self-signed certificate.

    You should set the common name (CN=) to the host or IP name of client. This name will be used to access the TIBCO MFT Command Center server.

    If no distinguished name is provided at the command line, the user will be prompted for one.

  • -keypass: specifies the password used to protect the private key of the generated key pair.

    This parameter must be the same as the storepass parameter defined. If no password is provided, the user is prompted for it. If you press ENTER at the prompt, the key password is set to the same password as that used for the keystore.

  • -keyalg: specifies the algorithm to use when creating the key.

    The valid values are DSA or RSA. DSA is typically used with SSH, because all SSH clients support DSA, but only part of them support RSA.

  • -keystore: specifies the name and location of a keystore.

    If no keystore is provided on the command line, the .keystore file in the home directory of user will be assigned.

  • -storepass: specifies a password for the new keystore.

    You can configure this parameter in the Configure SSH Server page. This password must be the same as the keypass parameter.

Example: 

keytool -genkey -alias CFCCSSH -dname "CN=yourmachine, O=yourcompany, OU=yourorganization, L=yourcity, ST=yourstage, C=yourcountry" -keypass changeit
-keystore "c:\cfccinstall\keystore\keystore.dss" -storepass changeit
-keyalg DSA -keySize 1024 -validity 3650
Note: This command should be typed as a single line.