If you recreate the Root CA on a BoKS Master, the BoKS Web Services Interface (WSI) will no longer be able to communicate with this BoKS Master.
In the WSI server logs you will get a stack trace ending with error messages pointing to problems with the keystore file for the domain, similar to the following examples:
2015-02-05 02:33:38,723 ERROR com.foxt.mds.JettyServer - Configuration error - Unrecoverable problem with the keystore file for domain domain1
2015-04-03 02:34:18,408 ERROR com.foxt.mds.ServerProxy.domain1 - Could not connect to domain host.
2015-04-03 02:34:18,409 ERROR com.foxt.mds.JettyServer - Configuration error - Failed to contact BoKS master. error = Could not connect to domain host.
In order to resolve this, you need to recreate the Java Keystore file on the WSI server with the correct Host Certificate, Private Key and CA Chain. There is one .jks file per domain stored in the configuration directory under the sub-directory certificates/, by default: /etc/opt/mds/certificates/.
You need to use two different utilities to achieve this: bccgethostcert(on the Master) and createtrust.sh (on the WSI server).
bccgethostcert - Export the host certificate, private key and CA chain
This utility is located in $BOKS_sbin (/opt/boksm/sbin by default). Running bccgethostcert creates two files:
- A PKCS#12 file containing the private key and the host certificate.
- A file containing the CA certificates.
bccgethostcert [-c ] [-p ]
Note: When running the bccgethostcert command you will be prompted to enter a password for the PKCS#12 file. It is important to enter the same password as used for the Java Keystore file.
The keystore password is avaliable on the WSI server in the file /etc/opt/mds/config.yaml:
It should be entered without quotes ("").
# bccgethostcert -c ca-chain.out -p .p12
createtrust.sh - Create the Java Keystore file
This utility is located in lib/ under the WSI install directory (default /opt/mds/lib). It takes the files produced by bccgethostcert, the password of the PKCS#12 file and the password of the Java Keystore file (which must be identical) and creates the .jks.
createtrust.sh -c -h -j [-p ] [-P ]
Note: You should rename the current keystore file before running this command. The keystore files are located in /etc/opt/mds/certificates/ by default. For example to rename the keystore file for domain1:
# mv /etc/opt/mds/certificates/domain1.jks /etc/opt/mds/certificates/domain1.jks.$(date +%y%m%d-%H%M%S)
Run createtrust.sh. This creates a new Java Keystore. Input are the output files from the bccgethostcert command as well as the password of the PKCS#12 and the Java Keystore files.
# /opt/mds/lib/createtrust.sh -c ca-chain.out -h $(hostname).p12 -j /etc/opt/mds/certificates/domain1.jks [-p "keystore-password"] [-P "keystore-password"]
You are prompted for the keystore password and the PKCS#12 password if you don't provide them via the -p and -P options. Again, the PKCS#12 password must be the same as the keystore password.
Check that the owner and permissions of the keystore are correctly set to the functional user account used for the BoKS Web Services Interface.
# ls -l /etc/opt/mds/certificates/domain1.jks
-rw------- 1 mds mds 2417 Mar 2 19:44 domain1.jks
Restart the BoKS Web Services Interface.
# /etc/init.d/mds stop
# /etc/init.d/mds start
Still have questions? We can help. Submit a case to Technical Support.