Summary

If you recreate the Root CA on a BoKS Master the BoKS Control Center (BCC) Presentation Server will no longer be able to communicate with the Admin Server (bccasd) on the BoKS Master.

 

In order to resolve this you will need to recreate the Java Keystore file (trustfile.jks) on the BoKS Control Center Presentation Server (which may or may not be running on the Master) with the correct Host Certificate, Private Key and CA Chain.


Procedure


You will need to use two different utilities to achieve this: bccgethostcert(on the Master) and createtrust.sh (on the BCC Presentation Server).

 

 

bccgethostcert - Export the host certificate, private key and CA chain

This utility is located in $BOKS_sbin (/opt/boksm/sbin by default). This will create two files:

- A PKCS#12 file containing the private key and the host certificate.

- A file containing the CA certificates.

 

Usage:

bccgethostcert [-c ] [-p ]

Note: When running the bccgethostcert command you will be prompted to enter a password for the PKCS#12 file. It is important to enter the same password as used for the Java Keystore file. The keystore password is available in $BCCPS_etc/bcc.properties.

If you would like to set a new password for the keystore you can do so at this point (requires changing the password in bcc.properties).

 

 

# bccgethostcert -c ca-chain.out -p bcc_hostname.p12 bcc_hostname

Replace "bcc_hostname" with the actual hostname of the BCC server in the example above.

 

 

createtrust.sh - Create the Java Keystore file

This utility is located in the $BCCPS_sbin directory (default /opt/bccps/sbin). It takes the files produced by bccgethostcert, the password of the PKCS#12 file and the password of the Java Keystore file (which must be identical) and creates the trustfile.jks.

 

 

Usage:

createtrust.sh -c -h -j [-p ] [-P ]

 

 

Note: You should rename the current keystore file before running this command. The trustfile is located in /etc/opt/bccps/ by default.

 

# mv /etc/opt/bccps/trustfile.jks /etc/opt/bccps/trustfile.jks.$(date +%y%m%d-%H%M%S)

 


Run createtrust.sh. It will create a new Java Keystore. Input are the output files from the bccgethostcert command as well as the password of the PKCS#12 and the Java Keystore files.

# /opt/bccps/sbin/createtrust.sh -c ca-chain.out -h bcc_hostname.p12 -j /etc/opt/bccps/trustfile.jks

Replace "bcc_hostname" with the actual hostname of the BCC server in the example above.


You will be prompted for the keystore password and the PKCS#12 password if you don't provide them via the -p and -P options. Again, the PKCS#12 password must be the same as the keystore password.

Check that the owner and permissions of the keystore are correctly set to the functional user account used for the BoKS Web Services Interface.

 

# ls -l /etc/opt/bccps/trustfile.jks

-rw------- 1 bccps bccps 2417 Mar 2 19:44 /etc/opt/bccps/trustfile.jks

 

 

Verify the communication

The communication from the BCC Presentation Server to the bccasd server in BoKS can be verified by running $BCCPS/sbin/pingbccas.sh.

 

Run pingbccasd.sh to verify that the communication is now functioning correctly with the certificates from the new keystore.

 

# /opt/bccps/sbin/pingbccas.sh

 

 

If all is functioning correctly, BCC can be restarted to pick up the new Java Keystore.

# /etc/init.d/bccps stop
# /etc/init.d/bccps start

 

 


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: October 15, 2018