7.3 Credential stores used in Management and Security Server

Management and Security Server (MSS) stores certificates and keys in several locations. Here’s how the stores are used during a TLS/SSL transaction.

Keystores contain a party’s own certificate and a private key. The party’s keystore is used to authenticate itself when presented to another party (server or client).

Trust stores contain the certificates from other parties (servers or clients). The trust store may contain certificates from trusted Certificate Authorities (CAs) as well as other parties’ self-signed certificates. Trust stores are used to verify the certificates received during a TLS transaction.

During a TLS/SSL transaction, the keystore is used to authenticate the sender to the receiver. The receiver verifies the certificate presented by checking its list of trusted certificates in the trust store.

MSS uses Bouncy Castle as the provider for keystore operations, and the .bcfks (Bouncy Castle FIPS keystore) extension is used for cryptographic files.

The tables that follow identify and describe the credentials stored in each location.

7.3.1 Stores used by MSS in MSSData/trustedcerts

The keystores in this location include the Management and Security Server certificate + private key, the client certificate + private key, and the imported certificates on the Trusted Certificates list for the terminal emulator client.

The keystores in MSSData/trustedcerts are described in Table 7-1.

Keystore location: %ProgramData%/Micro Focus/MSS/MSSData/trustedcerts/
Password location: This keystore password is encrypted in the KeyChain (in MSSData/keychain.bcfks).
To change this password: Administrative Console > Configure Settings – General Security > Change keystore password

Table 7-1 Stores used by MSS

Keystore	Function
client.bcfks	for Reflection for the Web's shared private key A client certificate is used to identify users connecting to the Security Proxy or an SSL/TLS host when either requires client authentication. If all users share the same client certificate, then the Administrative Server can automatically distribute it to Reflection for the Web clients when needed.
rweb.bcfks	for the Management and Security Server certificate signs the Security Proxy token
saml.bcfks	for SAML authentication
sshclient.bcfks	for Reflection for the Web SSH not used by MSS itself
trustedascj.bcfks	for outbound HTTPS: Replication, Micro Focus Advanced Authentication, and Automated Sign-on for Mainframe X.509 authentication client certificate validation and revocation checking not used for LDAPS
trustedps.bcfks	trust store for Host Access for the Cloud and Reflection for the Web using SSL to host not used by MSS itself When settings are exported from the Security Proxy Wizard, certificates are added to this store.
trustedws.bcfks	contains only the public key and certificate from the rweb.bcfks store Certificates from this store are imported by the Security Proxy server into its trustedws.bcfks store.

7.3.2 Keychain in MSSData

The Keychain contains a SecretKeyEntry with assorted encrypted secrets, including the keystore password for files in trustedcerts.

Keystore location: %ProgramData%/Micro Focus/MSS/MSSData/keychain.bcfks
Password location: Either base64 in %ProgramData%/Micro Focus/MSS/MSSData/rweb.pwd, or in the KeychainUtility.
To change this password: Administrative Console > Configure Settings – General Security > Keychain

7.3.3 Stores used by Tomcat in server/etc

The keystores in server/etc are described in Table 7-2.

Keystore location: %ProgramFiles%/Micro Focus/MSS/server/etc/
Password location: Obfuscated in %ProgramFiles%/Micro Focus/MSS/server/services/servletengine-tomcat/META-INF/service.ctx.xml.
To change this password: In /MSS/server/conf/container.properties, update these settings:
- servletengine.system.ssl.keyStorePassword
- management.server.client.ssl.trustStorePassword

Table 7-2 Stores used by Tomcat

Keystore	Function
servletcontainer.bcfks	Credential store for Tomcat HTTPS, all three ports Created at startup Used for the embedded web servers (Tomcat)
system.bcfks	Trust store for Tomcat HTTPS, trusted subsystem Created at startup Used for the Trusted Subsystem (X.509 authentication)

7.3.4 Stores used by Security Proxy in proxyserver/keystores

The keystores in proxyserver/keystores are described in Table 7-3

Keystore location: %ProgramFiles%/Micro Focus/MSS/securityproxy/keystores/
Password location: hard-coded
To change this password: This password cannot be changed.

Table 7-3 Stores used by Security Proxy

Keystore	Function
rwebps.bcfks	Credential store for proxy, inbound TLS The public key and certificate from this store are exported to the Administrative Server and stored in its trustedps.bcfks store.
trustedps.bcfks	Stores the public key and certificate from rwebps.bcfks, noted above.
trustedws.bcfks	Trust store for proxy, both for TLS client authentication and proxy token signature verification Contains public keys and certificates imported into the proxy from trusted MSS Administrative Servers

7.3.5 cacerts in jre/lib/security/cacerts

The cacerts trust store contains a set of commonly used root certificates that comes by default with Management and Security Server.

Keystore location: %ProgramFiles%/Micro Focus/MSS/jre/jre/lib/security/cacerts
Password location: System property javax.net.ssl.trustStorePassword
To change this password: Set a property in container.conf and change the password of the file using a utility such as keytool, portecle,or keystore explorer.

To view the certificates, go to Configure Settings – Trusted Certificates. Select Management and Security Server as the Certificate Store, and then open the list under Trusted Root Certificate Authorities.

The cacerts trust store is:

used for LDAPS
the trust store for outbound TLS
combined with trustedascj for RASM, MFAA, replication, but not for LDAPS
not a .bcfks file