Securing Reflection ZFE Session Server to MSS

NOTE:The file paths noted here are for a default installation and assume that Java\bin is in your system path. If you have installed Reflection ZFE to another location, you must modify the path appropriately.

These instructions pertain to the session server and require a change to the sessionserver/conf/container.properties file.

This file contains the URL of the Management and Security Server (MSS) that is used by the Reflection ZFE session server: management.server.url=http://my-company.com:80/mss

During the installation, you can specify that you want to configure a secure communication channel between both the Reflection ZFE session server and MSS, which means the install process will handle obtaining the MSS certificate and configure the Reflection ZFE session server.

If necessary, you can make this configuration manually after you complete the installation following these steps:

  1. Change the management.server.url property in sessionserver/conf/container.properties to use the HTTPS protocol and specify the correct MSS port.

  2. Use the browser to connect to the HTTPS Management and Security Server URL and instruct the browser to save the certificate.

  3. Import the certificate into the appropriate Reflection ZFE keystore by running the following command (the command may vary depending on specific values) in the sessionserver/etc directory:

    keytool -importcert -file <path-to-the-MSS-certificate> -alias <some-alias> -keystore servletcontainer.bcfks -storetype bcfks - storepass not-secure -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar

  4. Repeat the same command, but replace –keystore servletcontainer.bcfks with system.bcfks.

  5. Restart the appropriate service.

These instructions use the default password, not-secure as the keystore password. You can change the keystore password:

  1. From the sessionserver/etc directory, run the following command:

    keytool -storepasswd -new new_password -keystore servletcontainer.bcfks -storetype bcfks -storepass not-secure -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar.

  2. Run the command again for the system.bcfks keystore.

Related Topics