Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Log in to the CTERA Portal master DB server as root, using SSH.

  2. Copy the root certificate file associated with the CAC certificate file and any intermediate certificates in the chain to the /root/ path of the Master DB Server.

  3. Create the truststore.

    1. In the Master DB Server and enter the following commands: . $bindir/ ; export _JAVA_OPTIONS

    2. Move to the /usr/local/ctera/apache-tomcat/webapps/ directory and run the following keytool commands for the CAC certificate file and any intermediate certificates in the chain. For example, for a CAC certificate file named RootCA1.cer and an intermediate certificate named IntermediateCA1.cer, run the following two commands, changing the jdk1.8.0_201 value to the JDK on the server (use the command ls -d /usr/local/ctera/jdk*/bin to find the current JDK bin directory):
      /usr/local/ctera/jdk1.8.0_201/bin/keytool -import -keystore truststore -file /root/CRootCA1RootCA1.cer -alias rootca1 -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
      /usr/local/ctera/jdk1.8.0_201/bin/keytool -import -keystore truststore -trustcacerts -alias intermediateca1 -file /root/IntermediateCA1.cer -alias intermediateca1 -trustcacerts -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
      The alias name of each certificate in the keytool command must be unique.

    3. Convert the truststore format to BCFKS format by running the following command, changing the jdk value to the JDK on the server:
      keytool -importkeystore -srckeystore /usr/local/ctera/apache-tomcat/webapps/truststore -srcstoretype JKS -destkeystore /usr/local/ctera/apache-tomcat/webapps/truststore.bcfks -deststoretype BCFKS -srcprovidername "SUN" -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath /usr/local/ctera/jdk1.8.0_201/jre/lib/ext/SafeLogic_CTERA.jar -srcstorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg) -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)

      You can display the entries in the new BCFKS keystore with the following command:
      keytool -list -v -keystore truststore.bcfks -storetype BCFKS -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
      The password is the SERVER_KEY, which is extracted automatically from /etc/ctera/portal.cfg and used in the following part of above command $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg).

    4. Copy the truststore.bcfks file to the same path of the Replication DB server and all the portal servers, such as the application and preview serverservers. For example, using SCP, run the following command:
      scp truststore.bcfks root@portal_ip_address:/usr/local/ctera/apache-tomcat/webapps

  4. Enable FIPS by running the following in the command line: set /settings/javaSecurityProviderMode FIPS
    Note: You can also set FIPS using the CLI command from within the portal user interface, as described in Execute CLI Commands from the Global Admin User Interface

  5. Restart the portal servers.