The Java Certificate File

When TIBCO MFT Command Center is communicating with a web server that requires client certificates, you must configure the jskname and jskpwd parameter in the Global.xml file.

If you have a Java keystore that contains the client certificate, you must define the jskname parameter to point to the Java keystore file that contains the client certificate, and define the jskpwd parameter to specify the password for the keystore.

If the TIBCO MFT Command Center web server does not require client certificates, then you should use the default values for jskname and jskpwd parameters. You do not have to create any Java keystores and you do not have to define the jskname and jskpwd parameters in the Global.xml file.

When the TIBCO MFT Command Center web server requires a Java certificate and you do not have a Java keystore that contains a Java certificate, you will have to create one. The Java keystore is typically created in the home directory of user; however it can be created in any directory.

To create a Java keystore, you must execute the following command: 

keytool -genkey {-alias alias} [-dname dname] [-keypass keypass]
    {-keystore keystore} [-storepass storepass] [-keyalg rsa]
Note: This command should be typed as a single line.
  • -alias: specifies the unique name for this certificate chain and the private key in this new keystore entry.

    If you do not specify this parameter, a default value of mykey will be assigned.

  • -dname: specifies the X.500 distinguished name to be associated with alias.

    This parameter is used as the issuer and subject fields in the self-signed certificate. You must set the common name (CN=) to the host or IP name of client. The name will be used to access the TIBCO MFT Command Center server.

    If no distinguished name is provided at the command line, the user will be prompted for one.

  • -keypass: specifies a password used to protect the private key of the generated key pair.

    If no password is provided, the user is prompted for it. If you press Enter at the prompt, the key password is set to the same password as that used for the keystore.

    This parameter must be at least 6 characters long.

  • -keyalg: specifies the algorithm to use when creating the key.

    RSA is typically used.

  • -keystore: specifies the name and location of a keystore.

    If no keystore is provided on the command line, the file named .keystore in the home directory of user will be assigned.

  • -storepass: specifies a password for the new keystore.

    This password must be configured as jskpwd within the TIBCO MFT Command Center Global.xml file.

After the keystore has been created, you must generate a certificate request. You can issue the following Java command to generate a certificate request: 

keytool -certreq {-alias alias} {-file certreq_file} [-keypass keypass]
    {-keystore keystore} [-storepass storepass]
  • -alias: specifies the alias that you defined for this certificate request.

    If you do not specify this parameter, a default value of mykey will be assigned.

  • -file: specifies the output file for this command.

    This parameter is the CSR file that you will have to provide to your CA.

  • -keypass: specifies a password used to protect the private key of the generated key pair.

    This parameter must match what you defined as the keypass when you generated the key pair.

  • -keystore: specifies the name and location of a keystore.
  • -storepass: specifies a password to a keystore.

At this point, you have created a certificate request file. This file must be sent to the certificate authority or the department responsible for creating certificates. When the certificate authority completes processing the certificate request, they will then return a certificate file in Base64 format. Then this certificate must be imported into the Java keystore as shown in the next step.

Now that the certificate has been created you must import the certificate into the keystore. To do this, you have to have the client certificate in Base64 format. Then you can issue the following Java command to add this certificate to the trusted certificate authority file: 

keytool -import
        -keystore c:\home\mftuser\keystore.jsk
        -alias MFT Command CenterClientKey
        -file cert.file
        -storepass changeit
Note: This command should be typed as a single line.
  • -keystore: specifies the name and location of a keystore.

    You should point to the Java keystore. This file name should be added to the jskname parameter in the Global.xml file.

  • -alias: specifies the unique name for this certificate.

    The value defined should match the alias defined in the certreq command.

  • -file: specifies the certificate file name in Base64 format.
  • -storepass: specifies the password for the cacerts keystore.

    This password must be configured as jskpwd within the TIBCO MFT Command Center Global.xml file. The default password is changeit.

After entering the command, you will be asked to confirm the request. After confirming the request, the certificate will be added to the Java keystore. Now, when your client makes a request to the TIBCO MFT Command Center server, the certificate can be passed to the TIBCO MFT Command Center web server.