|
|
|
The installer (see the chapter “Prerequisites, Installing, and Uninstalling”) automatically establishes a CA XCOM Gateway keystore and creates, or imports into it, an initial CA XCOM Gateway certificate. It also defines this initial certificate as the active certificate that CA XCOM Gateway is to use for encrypting stored files. However, it might subsequently become necessary to introduce a new certificate; for example, when the active certificate expires.
In order to retain the ability to access previously stored and encrypted files, it is essential that the certificate that was used for their encryption must remain available within the CA XCOM Gateway keystore. Therefore, when a new certificate is to be introduced, the new certificate can be added to the keystore and set as the active certificate. This causes CA XCOM Gateway to use the new certificate to encrypt files that arrive later. However, any expired certificates must remain in the keystore and must not be deleted.
It follows that the CA XCOM Gateway keystore may contain any number of certificates, each with a unique alias ID. However, at any one time only one certificate can be active, and the alias ID of the currently active certificate must be specified in CA XCOM Gateway’s global parameters, so that CA XCOM Gateway knows which certificate to use when storing new files.
To add a new certificate to the keystore, you need to use the standard Java keytool utility. The facilities offered by the keytool utility program are fully documented on the http://java.sun.com web site (http://java.sun.com/docs/books/tutorial/security/toolsign/step3.html).
To run the keytool utility, open the command prompt (Start->run->cmd), and execute the keytool utility by entering a command in the format:
"{GatewayServerInstallDirectory}\bin\keytool.exe" -import -trustcacerts -alias {alias id} -keystore “{keystore path/file}” -file "{certificate path/file}"
The path for the folder into which the CA XCOM Interface Server was installed; for example, c:\Program Files\CA\XCOMIF.
The unique alias ID that you want to assign to the new certificate. This ID must be different from that of any existing certificate and will subsequently be specified in CA XCOM Gateway’s global parameters to identify this particular certificate as the currently active certificate (see below).
The directory path for the keystore location and keystore file name. You can determine the path/file for CA XCOM Gateway’s existing keystore by viewing the xcom-globals.xml file, and locating the <KEYSTORE PATH=”…”> attribute.
The directory path and file name of the certificate that you want to import; for example, “\caissuedcertificates\mygatewaycertificate.pem”.
After you have added the new certificate by using the keytool utility, the xcom-globals.xml file must be updated to set the new certificate as the active certificate that CA XCOM Gateway is to use for encrypting new files. Within the <GATEWAYSERVER> section of the xcom-globals.xml file, locate the <CERTIFICATE ACTIVEID=”..”> attribute and change the value of this attribute to the alias ID of the new certificate. After saving the updated file, you need to restart CA XCOM Gateway for the change to become effective.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |