NOTE:The keystore commands noted here are for a default installation and start at the sessionserver/etc directory. If you have installed Reflection ZFE to another location, you must modify the path appropriately.
To secure this connection:
How to create a CSR for Reflection ZFE
Windows
(replace the dname parameter with your own) :
..\..\java\bin\keytool.exe -genkeypair -dname "CN=zfe-1.microfocus.com, O=Micro Focus, C=US" -alias servlet-engine -keyalg RSA -keysize 2048 -keystore servletcontainer.jks -validity 1095 -storetype jks -storepass changeit -keypass changeit
..\..\java\bin\keytool.exe -certreq -alias servlet-engine -keystore servletcontainer.jks -file cert_request.csr -ext ExtendedkeyUsage=serverAuth -storetype jks -storepass changeit
UNIX
(replace the dname parameter with your own) :
../../java/bin/keytool -genkeypair -dname "CN=zfe-1.microfocus.com, O=Micro Focus, C=US" -alias servlet-engine -keyalg RSA -keysize 2048 -keystore servletcontainer.jks -validity 1095 -storetype jks -storepass changeit -keypass changeit
../../java/bin/keytool -certreq -alias servlet-engine -keystore servletcontainer.jks -file cert_request.csr -ext ExtendedkeyUsage=serverAuth -storetype jks -storepass changeit
After you receive the certificate from the CA, you will import the certificate into Reflection ZFE.
How to import a CA-signed certificate/chain into Reflection ZFE for HTTPS
If the CA Reply contains separate root and intermediate certificate files, import the root certificate into the keystore first, followed by the intermediate certificate.
These examples use keytool commands at the sessionserver/etc directory.
Windows
..\..\java\bin\keytool.exe -importcert -alias rootca -trustcacerts -file <RootCA.cer> -keystore servletcontainer.bcfks –storetype bcfks -storepass changeit
..\..\java\bin\keytool.exe -importcert -alias intermediateca -trustcacerts -file <IntermediateCA.cer> -keystore servletcontainer.jks –storetype jks -storepass
..\..\java\bin\keytool.exe -importcert -alias servlet-engine -trustcacerts -file <CertChainFromCA.p7b> -keystore servletcontainer.jks –storetype jks -storepass changeit
Before running the following command, rename existing servletcontainer.bckfs to servletcontainer.bckfs_prev:
..\..\java\bin\keytool.exe -importkeystore -srckeystore servletcontainer.jks -srcstorepass changeit -destkeystore servletcontainer.bckfs -deststoretype bcfks -deststorepass changeit -providername BCFIPS -providerpath ..\lib\bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
UNIX
../../java/bin/keytool -importcert -alias rootca -trustcacerts -file <RootCA.cer> -keystore servletcontainer.bcfks –storetype bcfks -storepass changeit
../../java/bin/keytool -importcert -alias intermediateca -trustcacerts -file <IntermediateCA.cer> -keystore servletcontainer.jks –storetype jks -storepass
../../java/bin/keytool -importcert -alias servlet-engine -trustcacerts -file <CertChainFromCA.p7b> -keystore servletcontainer.jks –storetype jks -storepass changeit
Before running the following command, rename existing servletcontainer.bckfs to servletcontainer.bckfs_prev:
../../java/bin/keytool -importkeystore -srckeystore servletcontainer.jks -srcstoretype jks -srcstorepass changeit -destkeystore servletcontainer.bckfs -deststoretype bcfks -deststorepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider