Regenerating the SCA SSL Keystore

Learn how to regenerate the SSL keystore for BigFix Compliance (SCA) when updating the SSL certificate.

Before you begin

Before you begin, ensure that the following requirements are met:
  • The customer already has a valid SSL certificate, such as: .p12, .pfx, .crt+.key, or .jks.
  • The SCA installation root directory is referenced as <BFC_ROOT>.
Typical Paths:
Keystore: <BFC_ROOT>\wlp\usr\servers\server1\resources\security\key_server.jceks
Config: <BFC_ROOT>\wlp\usr\servers\server1\server.xml

About this task

When updating the SSL certificate used by BigFix Compliance (SCA), a new Liberty-compatible keystore file (key_server.jceks) must be generated.
There are two possible scenarios:
  • Generate a new self-signed certificate.
  • Convert an existing SSL certificate (already issued by a CA) into the JCEKS format. This document covers Case 2, which matches the customer's scenario

Procedure

  1. Convert the SSL certificate if it is already in PKCS#12 format.
    If you already have a .p12 or .pfx file that contains both the private key and certificate chain, convert it directly to 
    keytool -importkeystore ^
 -srckeystore newcert.p12 ^
 -srcstoretype PKCS12 ^
 -destkeystore key_server.jceks ^
 -deststoretype JCEKS ^
 -srcstorepass <source_password> ^
 -deststorepass <new_password>
  2. Combine certificate and private key if they are in separate files.
    If you have separate .crt and .keyfiles, first create a PKCS#12 container using OpenSSL:
    openssl pkcs12 -export \
 -in server.crt \
 -inkey server.key \
 -out newcert.p12 \
 -name "default"
    Then, run the same keytool -importkeystore command from the previous step.
  3. Encode the New Keystore Password.
    Use Liberty's built-in utility to encode the password before putting it into server .xml:
    D:\SCA\wlp\bin\securityUtility encode "<new_password>" --encoding=aes
    Example Output
    {aes}vUuQxKDl7P7H1q93Ld4xqw==
  4. Update the server.xml file.
    Edit only the password line for the default keystore:
    <keyStore id="defaultKeyStore"
          location="key_server.jceks"
          password="{aes}vUuQxKDl7P7H1q93Ld4xqw=="/>
  5. Restart SCA.
    Restart the Liberty server hosting SCA.
    Verify in logs: 
    <BFC_ROOT>\wlp\usr\servers\server1\logs\messages.log
    You should see: CWWKS4104A: SSL certificate has been successfully loaded
  6. Optional Verification.
    Check the loaded certificate:
    keytool -list -v -keystore key_server.jceks -storetype JCEKS -storepass <new_password>
  7. Quick Summary of Exchange.
    Table 1. Quick Summary
    Step Action Command / File Notes
    1 Customer already has SSL certificate .p12 / .pfx / .crt + .key -
    2 Convert or import keytool -importkeystore Creates key_server.jceks
    3 Encode password securityUtility encode Produces {aes}… string
    4 Update config server.xml Replace password only
    5 Restart & verify SCA Liberty logs Confirm CWWKS4104A

Results

The new SSL certificate is successfully applied, key_server.jceks regenerated, and SCA runs with the updated encrypted password reference.