search cancel

Need to remove cert from default keystore webreckeys.ks

book

Article ID: 257326

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

We need to remove one of the certificates from the default keystore that comes packaged with DevPortal environments to meet security compliance.

These are used for testing and validating changes and might not break anything in prod directly, but could affect our ability to test and validate prod - so we would like to be sure.

In case I got any of the nomenclature wrong, I am asking about the certs in these directories:
 /opt/CA/DevTest10.6/IdentityAccessManager/certs/webreckeys.ks and /opt/CA/DevTest10.6/webreckeys.ks

1.    The devs tell me that we aren't using the default keystore for any of our configs, but does anything onboard the devportal use them by default? If we remove the cert are we going to break anything?

2.    Can this be removed via cli (using the keytool command?) Or is there a different process?

3.    Our person who originally set up the gateway is not available. In the event the keystore was configured with a password, would it be safe to remove the entire default keystore? Again - does anything onboard the devportal need the default keystore present to work? Is there anything we could reconfigure in this case?

Environment

All supported version of DevTest.

Cause

N/A

Resolution

Answers to your questions:

1.    The devs tell me that we aren't using the default keystore for any of our configs, but does anything onboard the devportal use them by default? If we remove the cert are we going to break anything?

Answer: Yes.  You can remove webreckeys.ks as long as you use your own keystore in it's place.

This is where webreckeys.ks is used:  This is from our documentation.

SSL with VSE Recording
Keystore password DevTest determines the custom server-side keystore password to use by looking up the following properties (in order of importance): ssl.server.cert.pass.encrypted ssl.server.cert.password If none of these properties exist, DevTest uses the password that is associated with the default keystore file that is located at {{LISA_HOME}}/webreckeys.ks. DevTest determines the custom client-side keystore password to use by looking up the following proper....

SSL Certificates
The certificate is in the LISA_HOME\webreckeys.ks file.When you set the default protocol to SSL and you do not change anything else, you use an "internal DevTest" certificate.

IAM Properties
{IAM_HOME} is resolved at runtime.IAM KeyStore and TrustStore Propertiesiam.keystore=${IAM_HOME}certs/webreckeys.ks Location of your IAM KeyStore. iam.keystore.password=passphrase Password for accessing your IAM KeyStore.

Local Properties File
For example, to start a new simulator: Simulator -name ssl://thishost:2014/Simulator -labName ssl://regHost:2010/Registry.LISA_HOME\webreckeys.ks is a default internal self-signed certificate. For example, you can start a new simulator:Simulator -name ssl://thishost:2014/Simulator -labName ssl://regHost:2010/Registry We provide a default internal self-signed certificate (in LISA_HOME\webreckeys.ks). The next time DevTest starts, an e....

Service Virtualization API v3
object for create, including port and SSL information{ "virtualService":{ "version":"2", "name": "swaggertest273a2", "description": "Invoke API V3", "status": "", "capacity": "1", "thinkScale": "200", "autoRestart": "false", "startOnDeploy": "true", "groupTag": "test" }, "transportProtocol":{ "typeId":"HTTP", "basePath":"/", "useGateway":true, "hostHeaderPassThrough":false, "recordingEndpoint":{ "useSSL":true, "host":"", "port":"28654", "sslConfig":{ "keystoreFile":"/Applications/CA/DevTest105/....

HTTP/S Transport Protocol
Virtualize Two-way SSL ConnectionsTo virtualize a two-way SSL connection, DevTest must have information for both the client-side keystore and server-side keystore.To use the default DevTest keystore (see webreckeys.ks in the installation directory) as the server-side keystore, extract the DevTest certificate from the DevTest keystore and add it to the client truststore.

2.    Can this be removed via cli (using the keytool command?) Or is there a different process?

Answer: The webreckeys.ks just has a keypair and no other certificates, so if you remove the key pair, the keystore would be empty.

3.    Our person who originally set up the gateway is not available. In the event the keystore was configured with a password, would it be safe to remove the entire default keystore? Again - does anything onboard the devportal need the default keystore present to work? Is there anything we could reconfigure in this case?

Answer: Yes, as long as you use your own keystore, it would be ok to remove webreckeys.ks