Updating the Applet Certificate

A separate Java Applet certificate is required to sign the TIBCO MFT Internet Server transfer applet. To obtain a new applet certificate from the CA, a certificate request must be issued. You must record all steps executed and their output into a file called cert.applet.log for tracking purpose.

1. To generate a Java keystore and key pair where the certificate would be considered valid for 365 days, you can issue the following example command:

   keytool –genkey –v –alias cfcc –keyalg RSA –keysize 2048 –keypass 
   changeit –keystore MFTIS_Install\keystore\newkeystore.jks -storepass 
   changeit –validity 365

   The keytool utility will then display messages requesting more information about the certificate request. The most important information to enter is when the keytool utility asks What is your first and last name. You must enter the DNS name that is used to access TIBCO MFT Internet Server. This is used as CN in the certificate; HTTPS requires CN to match the DNS name used to access the HTTPS server. For example, mft.yourcompany.com.

   In the example command above, the keypass and storepass values are the same. These two passwords must match each other. It is good practice to use the same keystore and storepass password to create the original keystore. This way you will not have to update the keystore password in the product configuration files.

2. Generate a certificate request.
   You can use the following sample command:

   keytool –v –certreq –alias cfcc –file MFTIS_Install\keystore\cfcc.csr –
   keypass changeit –keystore MFTIS_Install\keystore\newkeystore.jks -
   storepass changeit

3. Submit the certificate request file created in the above command to the CA.
4. Install the CA certificate into the Internet Server’s keystore.
   1. Save the certificate returned by the CA to a file Cert_File.
   2. Issue the following keytool command to import the certificate.

      keytool –v –import –alias cfcc -trustcacerts –file Cert_File -
      keystore Keystore_File_Name

   Note: Some CAs now issue an intermediate certificate along with the main certificate. If this is true for your CA, then import certificates using unique aliases to the keystore created in Step 1. This is to prevent the client from receiving a certificate warning.
5. Install the Applet certificate into the keystore.
   1. Save the certificate returned by the CA to a file Cert_File.
   2. Issue the following keytool command to import the certificate.

      keytool –v –import –alias cfcc -trustcacerts –file Cert_File -
      keystore Keystore_File_Name

6. To sign the Java Applets, run the following command from the MFTIS_Install\distribution\setup directory.

   signjars.bat [javakeystore] [keystore password] [keystore alias] [path to 
   the MFT cfcc directory]

   Where:

   • java keystore: the name of the java keystore to be used for signing.
     Note: This applet certificate should be in a different keystore than the HTTPS certificate. If the keystore location contains spaces, enclose it in quotation marks.
   • keystore password: the password for the keystore.
   • keystore alias: the alias for the key to be used.
   • path to cfcc directory: the path to the TIBCO MFT Internet Server cfcc web context MFTIS_Install\server\webapps\cfcc. If the directory contains spaces, enclose it in quotation marks.
   Note: You can also use the same signjar command that was used in the TIBCO MFT Internet Server installation (install.log) as your example. The permissions for the UNIX signjars script must be changed so that it has execute rights.

   It is recommended that you use the same alias as you used in the self-signed step (default value is cfcc. Refer to the install.log file to verify) to ensure there is only one signature per jar.
7. Stop and restart TIBCO MFT Internet Server.
8. Perform a file transfer. Verify that the certificate associated with the File Transfer Applet points to the new certificate.
   Note: You may need to clear your browser cache to see the new certificate.