previous
next
Use this procedure to replace the default Transfer Server or Gateway Administrator server certificate with a CA-signed certificate contained within a PKCS#12 file.
Before you begin
Obtain a PKCS#12 PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations. Different PKCS standards identify specifications for particular cryptographic uses. Configuring certificates for Reflection Gateway you may work with the following PKCS file types. PKCS#7 can be used to sign and/or encrypt messages. It can also be used to store certificates and to disseminate certificates (for instance as a response to a PKCS#10 message). Files in this format typically use a *.p7b extension. PKCS#10 is used for certificate requests to a Certificate Authority (CA). PKCS#12 is used for storage and transportation of certificates and associated private keys. Files in this format typically use a *.pfx or *.p12 extension. file (*.p12 or *.pfx) that includes your private key and a certificate signed by a Certificate Authority (CA) A server, in a trusted organization, which issues digital certificates. The CA manages the issuance of new certificates and revokes certificates that are no longer valid for authentication. A CA may also delegate certificate issuance authority to one or more intermediate CAs creating a chain of trust. The highest level CA certificate is referred to as the trusted root. .
NOTE:
The certificates that authenticate Reflection Gateway servers must use FIPS-compliant cryptography. You should request a FIPS-compliant certificate from your Certificate Authority. DSA keys used in the certificate must be either 2048 or 3072 bits. RSA keys must be between 2048 and 4096 bits.
The PKCS#12 store must also use FIPS-compliant cryptography. If you have a PKCS#12 package that contains a FIPS-compliant private key, but the store encryption is not FIPS-compliant, the server will fail to start. To resolve this, you can re-encrypt the PKCS#12 file or import the file into a Java keystore.
The PKCS#12 store and the private key must be protected with the same password.
To replace the default server certificate with a certificate in a PKCS#12 file (*.p12 or *.pfx)
Move the PKCS#12 file to the folder that holds the default Reflection Gateway keystore (or to any secure location on your server). The default keystore locations are:
<install path>\TransferServer\etc\
<install path>\GatewayAdministrator\etc\
CAUTION:Do not delete any of the existing certificates or keystore files in these locations. The server certificates located here are required for communication between Reflection Gateway components.
Locate the container.properties file in the location below for the server you are updating.
<install path>\TransferServer\conf\container.properties
<install path>\GatewayAdministrator\conf\container.properties
Open container.properties in a text editor. (You must be a Windows administrator to be able to edit this file.) Remove the comment character (#) from the following lines. Edit these lines to specify a PKCS12 package and enter your certificate name and password. For example:
servletengine.ssl.keystore=../etc/myserver_cert.p12 servletengine.ssl.keystoretype=PKCS12 servletengine.ssl.keystorepassword=mypassword
NOTE:The path to the keystore must be specified using either forward slashes or escaped backslashes. For example: C:/pathto/keystore or C:\\pathto\\keystore
Restart the server you are configuring. See Start and Stop the Reflection Transfer Server and Start and Stop the Reflection Gateway Administrator Service.
If you replaced the Gateway Administrator certificate after using the default certificate, you will need to update server authentication configuration:
From the Reflection Secure Shell Proxy console, repeat the action.
Reset the server authentication certificate on any hubs that have been added, then reactivate those hubs from Gateway Administrator.
Confirm that you can log on to the Transfer Client or Gateway Administrator.
If you can't log in, or if you continue to see a certificate warning message, see Troubleshooting Server Certificate Setup.
NOTE:If you are using a load-balancing proxy to ensure high availability of Reflection Gateway services, you will need to configure duplicate server systems after making these changes. For details, see Ensuring High Availability of Reflection Gateway Services,