Stores Used by the Session Server

Identity certificates

As a convenience, the identity certificates for each type of server are available at the following locations, outside of their respective keystores mentioned below.

HACloud session server certificate - HACloud/sessionserver/etc/<computer-name>.cer
MSS certificate - MSS/server/etc/<computer-name>.cer

Session server keystore and truststore

The keystore and truststore used by the session server are described in the table below.

Location: HACloud/sessionserver/etc/
Type: bcfks (Bouncy Castle FIPS keystore)
Default password: changeit

Keystore	Function
keystore.bcfks	Credential store for incoming TLS connections Contains the certificate served up by the session server Used for embedded web server (Jetty) Created at start up
trustcerts.bcfks	Trust store for outgoing TLS connections Used to verify the servers the session server connects to, such as MSS Trust store for verifying incoming load balancer connections when using X.509 authentication through a load balancer Created at start up

Note

Trust for host emulation connections is managed by MSS. See Make a secure emulation connection to a trusted host

To change a keystore or truststore password

In HACloud/sessionserver/conf/container.properties, update these settings:

server.ssl.key-store-password
server.ssl.trust-store-password

For security reasons it is best to use an obfuscated password. To generate one, run the following command from the HACloud/sessionserver directory:

../java/jre/bin/java -cp ./lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password passwordToObfuscate