How to Import a third party SSL certificate into the JXweb and JXplorer keystores?

book

Article ID: 52970

calendar_today

Updated On:

Products

DIRECTORY SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description

If using a custom/external root CA, this document describes how to import this new CA into the JXweb and the Jxplorer Keystore to allow login using SSL.

Solution

The following instructions assume that a root CA certificate was created using a third party SSL tool as per the instructions in the Administration guide " Use DXcertgen to Request and Use a Third-party Certificate for a DSA Certificate".

Once the third party certificate has been imported in the trusted.pem, you still need to import this into the Jxweb or Jxplorer keystores.

There are two ways of doing this. The first and simplest way is to import the root cert using Jxplorer.

  • Open Jxplorer.

  • In the Security menu, select 'Trusted Servers and CAs'.

  • Select to 'Add Certificate'. This will prompt you for a password. By default, the password is 'changeit'. It may have already been changed.

  • Add the new trusted.pem file - this can be called any name, the old one can be removed later.

  • Login using SSL to test the import.

For JXweb:

  • Open Jxplorer.

  • In the Security menu, select 'Advanced Keystore Options'.

  • Under 'Setup the Trusted CA/Server keystore', save the current path value then change the path of the cacerts keystore to that of the Jxweb cacerts keystore. This is normally found in

    \Program Files\CA\Directory\dxwebserver\webapps\jxweb\docs\security

    Load this and press 'ok'.

  • In the Security menu, select 'Trusted Servers and CAs'

  • Select to 'Add Certificate'. This will prompt you for a password. By default, the password is 'changeit'. It may have already been changed.

  • Add the new trusted.pem file.

  • Change the path to the cacerts keystore back to the original Jxplorer path.

  • Restart the dxwebserver service.

  • Login to Jxweb using SSL to test the change.

The second way to do this is to use the java keytool:

  • Ensure trusted.pem only includes the Begin Certificate/End Certificate parts to comply with x.509 format.

  • Using java keytool import the trusted.pem into the cacerts keystore for either Jxweb or Jxplorer.

Example:

> keytool -import -trustcacerts -file <path to trusted.pem> -keystore <path to cacerts> -storepass <password>

  • If using Jxweb, restart the dxwebserver service.

  • Login to the desired client via SSL to test.

Environment

Release:
Component: ETRDIR