Stores used by the session server

Identity certificates:

As a convenience, the identity certificates for each type of server are available at the following locations, outside of their respective keystores mentioned below.

  • HACloud session server certificate - HACloud/sessionserver/etc/<computer-name>.cer

  • MSS certificate - MSS/server/etc/<computer-name>.cer

Session server keystore and truststore:

The keystore and truststore used by the session server are described in the table below.

  • Location: HACloud/sessionserver/etc/

  • Type: bcfks (Bouncy Castle FIPS keystore)

  • Default password: changeit

Keystore

Function

keystore.bcfks

  • Credential store for incoming TLS connections

  • Contains the certificate served up by the session server

  • Used for embedded web server (Jetty)

  • Created at start up

trustcerts.bcfks

  • Trust store for outgoing TLS connections

  • Used to verify the servers the session server connects to, such as MSS

  • Trust store for verifying incoming load balancer connections when using X.509 authentication through a load balancer

  • Created at start up

NOTE:Trust for host emulation connections is managed by MSS. See Make a secure emulation connection to a trusted host

To change a keystore or truststore password

In HACloud/sessionserver/conf/container.properties, update these settings:

  • server.ssl.key-store-password

  • server.ssl.trust-store-password

For security reasons it is best to use an obfuscated password. To generate one, run the following command from the HACloud/sessionserver directory:

../java/jre/bin/java -cp ./lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password passwordToObfuscate