SSH Java Certificate Keystore Settings
When TIBCO MFT Internet Server is installed, a default SSH keystore (using the DSA key algorithm) is installed. SFTP transfers work using this default keystore, or you can create another keystore.
There are two types of keystores that can be used:
- DSA keystore uses the DSA key algorithm to create the public/private key pair.
- RSA keystore uses the RSA key algorithm to create the public/private key pair.
Note: DSA is required for SSH operation and that virtually all SSH clients and servers support the DSA key algorithm. Some SSH Client or Server software does not support the RSA algorithm. If keystores for both DSA and RSA are defined, then the SSH client and server negotiate to define which SSH key are used.
The JAVA “keytool” utility can be used to create the SSH certificate. Below is the format of the keytool command.
keytool -genkey {-alias alias} [-dname dname] [-keypass keypass]
{-keystore keystore} [-storepass storepass] [-keyalg dsa]
Descriptions for parameters in this command are as follows:
- -alias: This is the unique name for this certificate chain and the private key in this new keystore entry. If you do not specify this parameter there is a default value of mykey assigned.
- -dname: specifies the X.500 Distinguished Name to be associated with alias, and is used as the issuer and subject fields in the self-signed certificate. You should set the common name (CN=) to the client’s host or IP name that is used to access the TIBCO MFT Internet Server. If no distinguished name is provided at the command line, the user is prompted for one.
- -keypass: is a password used to protect the private key of the generated key pair. The keypass must be the same as the storepass defined. If no password is provided, the user is prompted for it. If you press ENTER at the command line, the key password is set to the same password as that used for the keystore.
- -keyalg: defines the algorithm to use when creating the key. Valid values are DSA or RSA. DSA is typically used with SSH, since all SSH clients support DSA while only some support RSA.
- -keystore: specifies the name and location of a keystore. If no keystore is provided on the command line the file named .keystore in the user's home directory is assigned.
- -storepass: specifies a password for the new keystore. This is the password that you must configure in the Configure SSH Server page. This password must be the same as the keypass parameter.
When you have created the SSH certificate, you must update the Administration > Transfer Servers > SSH Server > Configure SSH Server page with the following information:
| Information | Description |
|---|---|
| DSA | |
| DSA Keystore | Defines the DSA keystore file defined by the keystore parameter. |
| DSA Keystore Password | Defines the DSA keystore password defined by the storepass parameter. |
| DSA Private Key Alias | Defines the DSA alias name created by the alias parameter. |
| RSA | |
| RSA Keystore | Defines the RSA keystore file defined by the keystore parameter. |
| RSA Keystore Password | Defines the RSA keystore password defined by the storepass parameter. |
| RSA Private Key Alias | Defines the RSA alias name created by the alias parameter. |
For example:
keytool -genkey -alias CFCCSSH -dname "CN=yourmachine, O=yourcompany, OU=yourorganization, L=yourcity, ST=yourstage, C=yourcountry" -keypass changeit -keystore "c:\cfccinstall\keystore\keystore.dss" -storepass changeit -keyalg DSA -keySize 1024 -validity 3650
Copyright © 2021. Cloud Software Group, Inc. All Rights Reserved.