Install a New Server Certificate: Java Keystore

Use this procedure to replace the default Transfer Server or Gateway Administrator server certificate with a CA-signed certificate contained within a Java keystore.

Before you begin

Obtain a Java keystore A Java keystore is used for storage and transportation of certificates and associated private keys. Use the Java keytool utility to manage keystore files. (*.bcfks) file that contains your private key and a certificate signed by a Certificate Authority (CA) A server, in a trusted organization, which issues digital certificates. The CA manages the issuance of new certificates and revokes certificates that are no longer valid for authentication. A CA may also delegate certificate issuance authority to one or more intermediate CAs creating a chain of trust. The highest level CA certificate is referred to as the trusted root. . You can use the following procedures to create your keystore using the Java keytool utility.

To replace the default server certificate with a certificate in a Java keystore

  1. Move the new Java keystore to the folder that holds the default keystore (or to any secure location on your server). The default keystore locations are:

    <install path>\TransferServer\etc\

    <install path>\GatewayAdministrator\etc\

    CAUTION:Do not delete any of the existing certificates or keystore files in these locations. The server certificates located here are required for communication between Reflection Gateway components.

  2. Locate the container.properties file in the location below for the server you are updating.

    <install path>\TransferServer\conf\container.properties

    <install path>\GatewayAdministrator\conf\container.properties

  3. Open container.properties in a text editor (running as an administrator). Remove the comment character (#) from the following lines and edit them to point to your keystore and specify your keystore password. For example:

    servletengine.ssl.keystore=../etc/newkeystore.jks
    servletengine.ssl.keystorepassword=mypassword

    NOTE:The path to the keystore must be specified using forward slashes or escaped backslashes. For example: C:/pathto/keystore or C:\\pathto\\keystore

  4. Run the new migrate_keystore.bat file.

  5. Open container.properties in a text editor and edit the following lines:

    servletengine.ssl.keystore=../etc/migrated.bcfks
    servletengine.ssl.keystoretype=BCFKS
  6. Restart the server you are configuring. See Start and Stop the Reflection Transfer Server and Start and Stop the Reflection Gateway Administrator Service.

  7. If you replaced the Gateway Administrator certificate, you must repeat the Activate and verify action on the Reflection Secure Shell Proxy. This reestablishes the connection to the Gateway Administrator using the new certificate.

  8. Confirm that you can log on to the Transfer Client or Gateway Administrator. If you can't log in, or if you continue to see a certificate warning message, see Troubleshooting Server Certificate Setup.

NOTE:If you are using a load-balancing proxy to ensure high availability of Reflection Gateway services, you will need to configure duplicate server systems after making these changes. For details, see Ensuring High Availability of Reflection Gateway Services,