Trusted Certificates
The Certificate Store contains the certificates that are trusted by the terminal emulator client and the Management and Security Server.
Note
When using Clustering, any changes made to the certificate stores (+IMPORT or DELETE certificates) will be replicated to the other MSS servers in the cluster. You do not need to repeat the process on each MSS server.
Select Terminal Emulator Clients or Management and Security Server to filter the view of trusted certificates.
- Certificate Store - Terminal Emulator Clients
- Certificate Store - Management and Security Server
- Trusted Root Certificate Authorities
Certificate Store - Terminal Emulator Clients
Clients that make a TLS connection to a host or Security Proxy must trust the host or proxy certificate. This panel presents a list of root certificates trusted by the terminal emulator applet.
The table lists the certificates that have been imported to the terminal emulator applet's trusted list. To view details about the certificate, click the certificate's Friendly name.
To add a client certificate to the MSS trust store:
-
With Terminal Emulator Clients selected, click +IMPORT.
-
Click UPLOAD. Select the file containing the certificate to upload to the MSS Server.
-
Enter the Keystore file name, Keystore password, and Friendly name.
-
Click IMPORT to add the certificate.
-
Restart the MSS Server.
See Trusted Root Certificate Authorities (collapsed by default).
Certificate Store - Management and Security Server
This collection of certificates includes CA certificates used to authenticate X.509 clients and to establish other servers as known and trusted to the Management and Security Server. To view details, click the certificate's Friendly name.
This collection is used for the following features:
-
X.509 with Fallback to LDAP authentication: Add CA certificate(s) needed to authenticate end-user certificates, such as a certificate stored on a smart card.
For these features, certificates are added to establish the other server as known and trusted.
-
Automated Sign-On for Mainframe: Add a certificate(s) to establish trust of a Mainframe host.
-
Micro Focus Advanced Authentication (MFAA): Add certificate(s) to trust the MFAA host.
Server certificates from other servers should be included in this certificate collection.
To add a server certificate to the MSS trust store:
-
With Management and Security Server selected, click +IMPORT.
-
Click UPLOAD. Select the file containing the certificate to upload to the MSS Server.
-
Enter the Keystore file name, Keystore password, and Friendly name.
-
Click IMPORT to add the certificate.
-
Restart the MSS Server.
Important
When X.509 with Fallback to LDAP authentication is used in conjunction with other MSS features that also use the certificates in this collection (such as Automated Sign-On for Mainframe), use caution to ensure that trust is not inadvertently broadened and granted to unintended end-user clients.
See Trusted Root Certificate Authorities (collapsed by default).
Trusted Root Certificate Authorities
This table is collapsed by default on the Trusted Certificates panel. The table lists the set of commonly used root certificates in Management and Security Server. To view details about a root certificate, click its Friendly Name.
If a trusted CA root certificate expires or is compromised, you may need an update.
Note
If certificate changes are needed by Windows-based clients to perform X.509 authentication, you must restart the Management and Security Server for the changes to take effect.