docmain.css" />
Management and Security Server (MSS) stores certificates and keys in several locations. Here’s how the stores are used during a TLS/SSL transaction.
Keystores contain a party’s own certificate and a private key. The party’s keystore is used to authenticate itself when presented to another party (server or client).
Trust stores contain the certificates from other parties (servers or clients). The trust store may contain certificates from trusted Certificate Authorities (CAs) as well as other parties’ self-signed certificates. Trust stores are used to verify the certificates received during a TLS transaction.
During a TLS/SSL transaction, the keystore is used to authenticate the sender to the receiver. The receiver verifies the certificate presented by checking its list of trusted certificates in the trust store.
MSS uses Bouncy Castle as the provider for keystore operations, and the .bcfks (Bouncy Castle FIPS keystore) extension is used for cryptographic files.
The tables that follow identify and describe the credentials stored in each location.
The keystores in this location include the Management and Security Server certificate + private key, the client certificate + private key, and the imported certificates on the Trusted Certificates list for the terminal emulator client.
The keystores in MSSData/trustedcerts are described in Table 7-1.
Keystore location: %ProgramData%/Micro Focus/MSS/MSSData/trustedcerts/
Password location: This keystore password is encrypted in the KeyChain (in MSSData/keychain.bcfks).
To change this password: Administrative Console > Configure Settings – General Security > Change keystore password
Table 7-1 Stores used by MSS
Keystore |
Function |
---|---|
client.bcfks |
|
rweb.bcfks |
|
saml.bcfks |
|
sshclient.bcfks |
|
trustedascj.bcfks |
|
trustedps.bcfks |
|
trustedws.bcfks |
|
The Keychain contains a SecretKeyEntry with assorted encrypted secrets, including the keystore password for files in trustedcerts.
Keystore location: %ProgramData%/Micro Focus/MSS/MSSData/keychain.bcfks
Password location: Either base64 in %ProgramData%/Micro Focus/MSS/MSSData/rweb.pwd, or in the KeychainUtility.
To change this password: Administrative Console > Configure Settings – General Security > Keychain
The keystores in server/etc are described in Table 7-2.
Keystore location: %ProgramFiles%/Micro Focus/MSS/server/etc/
Password location: Obfuscated in %ProgramFiles%/Micro Focus/MSS/server/services/servletengine-tomcat/META-INF/service.ctx.xml.
To change this password: In /MSS/server/conf/container.properties, update these settings:
Table 7-2 Stores used by Tomcat
Keystore |
Function |
---|---|
servletcontainer.bcfks |
|
system.bcfks |
|
The keystores in proxyserver/keystores are described in Table 7-3
Keystore location: %ProgramFiles%/Micro Focus/MSS/securityproxy/keystores/
Password location: hard-coded
To change this password: This password cannot be changed.
Table 7-3 Stores used by Security Proxy
Keystore |
Function |
---|---|
rwebps.bcfks |
|
trustedps.bcfks |
|
trustedws.bcfks |
|
The cacerts trust store contains a set of commonly used root certificates that comes by default with Management and Security Server.
Keystore location: %ProgramFiles%/Micro Focus/MSS/jre/jre/lib/security/cacerts
Password location: System property javax.net.ssl.trustStorePassword
To change this password: Set a property in container.conf and change the password of the file using a utility such as keytool, portecle,or keystore explorer.
To view the certificates, go to Configure Settings – Trusted Certificates. Select Management and Security Server as the Certificate Store, and then open the list under Trusted Root Certificate Authorities.
The cacerts trust store is:
used for LDAPS
the trust store for outbound TLS
combined with trustedascj for RASM, MFAA, replication, but not for LDAPS
not a .bcfks file