docmain.css" /> Using Default Java Cryptography - Reflection ZFE 2.3.4

6.1 Using Default Java Cryptography

Reflection ZFE uses Bouncy Castle, which is a Java implementation of cryptographic algorithms, to ensure secure connections between components. Occasionally it may become advantageous to replace the Bouncy Castle implementation with standard Java cryptography.

This is a two step process; first replacing Bouncy Castle with the Java implementation and second, importing certificates to enable communication between MSS and Reflection ZFE.

Replacing Bouncy Castle with the Java cryptographic implementation:

  1. Open sessionserver\conf\container.conf in a text editor.

  2. Set -Dcom.attachmate.integration.container.CRYPTO.enabled to false. For example:

                wrapper.java.additional.10=-Dcom.attachmate.integration.container.CRYPTO.enabled=false
              
  3. Update these trust store settings to use the default JKS format.

    • wrapper.java.additional.6=-Djavax.net.ssl.trustStore=../etc/servletcontainer.jks
    • wrapper.java.additional.8=-Djavax.net.ssl.trustStoreType=jks
    • wrapper.java.additional.12=-Dmanagement.server.client.ssl.trustStoreFileName=../etc/servletcontainer.jks
    • wrapper.java.additional.13=-Dmanagement.server.client.ssl.trustStoreType=jks

    Save the file.

  4. Open \sessionserver\services\servletengine\META-INF\service-ctx.xml

  5. Modify the settings as follows:

    • Update keystoreName and keystorePath from bfcks to jks
    • Update keystoreType and trustStoreType from BCFKS to JKS
    • Insert <property name="keyStoreType" value ="JKS"/ to the mutualAuthKeystoreGenerator bean.
  6. Restart the session server.

Configuring communication between MSS and Reflection ZFE by enabling their respective keystores:

  1. To import the MSS certficate to the Reflection ZFE keystore, from the sessionserver/etc directory, run the following commands:

    • keytool -importcert -file <path-to-the-MSS-certificate> -alias mgmt-server -keystore servletcontainer.jks -storetype jks - storepass changeit
    • keytool -importcert -file <path-to-the-MSS-certificate> -alias mgmt-server -keystore system.jks -storetype jks -storepass changeit
  2. To import the Reflection ZFE certificate to the MSS trusted subsystem keystore, from the MSS/server/etc directory, run the following command:

    • keytool -importcert -file <path-to-the-ZFE-certificate> -alias zfe-server -keystore system.bcfks -storetype bcfks - storepass changeit -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-1.0.1.jar
  3. Restart both MSS and the Reflection ZFE session server.