Java Certificate File Settings
When TIBCO MFT Internet Server is communicating with a web server that requires client certificates, you must configure the jskname and jskpwd parameters in the Global.xml file.
If you have a Java keystore that contains the client certificate, you must define the jskname parameter to point to the Java keystore file that contains the client certificate, and define the jskpwd parameter to specify the password for the keystore.
If the TIBCO MFT Internet Server web server does not require client certificates then you should use the jskname and jskpwd default values. You do not have to create any Java keystores and you do not have to define the jskname and jskpwd parameters in the Global.xml file.
When the TIBCO MFT Internet Server web server requires a Java certificate and you do not have a Java keystore that contains a Java certificate, you will have to create one. The Java keystore is typically created in the user’s home directory; however it can be created in any directory. To create a Java keystore, you must execute the following command:
keytool -genkey {-alias alias} [-dname dname] [-keypass keypass] {-keystore keystore} [-storepass storepass] [-keyalg rsa]
Descriptions for parameters in this command are as follows:
- -alias: This is the unique name for this certificate chain and the private key in this new keystore entry. If you do not specify this parameter there will be a default value of mykey assigned.
- -dname: specifies the X.500 Distinguished Name to be associated with alias, and is used as the issuer and subject fields in the self-signed certificate. You must set the common name (CN=) to the client’s host or IP name that will be used to access the TIBCO MFT Internet Server. If no distinguished name is provided at the command line, the user will be prompted for one.
- -keypass: is a password used to protect the private key of the generated key pair. If no password is provided, the user is prompted for it. If you press ENTER at the prompt, the key password is set to the same password as that used for the keystore. The keypass parameter must be at least 6 characters long.
- -keyalg: defines the algorithm to use when creating the key. RSA is typically used.
- -keystore: specifies the name and location of a keystore. If no keystore is provided on the command line the file named .keystore in the user's home directory will be assigned.
- -storepass: specifies a password for the new keystore. This is the password that you must configure as jskpwd within the TIBCO MFT Internet Server Global.xml file.
Now that the keystore has been created you must create a certificate request. You can issue the following Java command to generate a certificate request:
keytool -certreq {-alias alias} {-file certreq_file} [-keypass keypass] {-keystore keystore} [-storepass storepass]
Descriptions for parameters in this command are as follows:
- -alias: This is the alias that you defined for this certificate request. If you do not specify this parameter there will be a default value of “mykey” assigned.
- -file: specifies the output file for this command. This will be the CSR file that you provide to your CA.
- -keypass: is a password used to protect the private key of the generated key pair. This must match what you defined as the keypass when you generated the key pair.
- -keystore: specifies the name and location of a keystore.
- -storepass: specifies a password to a keystore.
At this point, you have created a certificate request file. This file must be sent to the Certificate Authority or the department responsible for creating certificates. When the Certificate Authority completes processing the certificate request, they will then return a certificate file in Base64 format. This certificate must then be imported into the Java keystore as shown in the next step.
Now that the certificate has been created you must import the certificate into the keystore. To do this, you must have the Client certificate in Base64 format. Then you can issue the following Java command to add this certificate to the trusted certificate authority file:
keytool -import -keystore c:\home\mftuser\keystore.jsk -alias MFT Internet ServerClientKey -file cert.file -storepass changeit
Descriptions for parameters in this command are as follows:
- -keystore: specifies the name and location of a keystore. You should point to the Java keystore. This file name should be added to the jskname parameter in the Global.xml file.
- -alias: This is the unique name for this certificate. The value defined should match the alias defined in the certreq command.
- -file: contains the certificate file name in Base64 format.
- -storepass: specifies the password for the cacerts keystore. This is the password that you must configure as jskpwd within the TIBCO MFT Internet Server Global.xml file. The default password is “changeit”.
After entering the command, you will be asked to confirm the request. After confirming the request, the certificate will be added to the Java keystore. Now, when your client makes a request to the TIBCO MFT Internet Server, the certificate can be passed to the TIBCO MFT Internet Server web server.