Re-encrypt a PKCS#12 file to Use Stronger Encryption

If you configure a FileXpress server to authenticate with a PKCS#12 file, the file must be encrypted with a FIPS-approved algorithm. If the encryption is too weak, your browser will not be able to connect to the service and the console log file will include a message saying "java.io.IOException: Could not decrypt data." You can use the keytool utility to re-encrypt your package.

To re-encrypt a PKCS#12 file using a FIPS-approved algorithm

  1. Open a Command Prompt window running as an administrator. (Start > All Programs > Accessories, right-click Command Prompt > Run as administrator.)
  2. Use a SET command to add the keytool folder to your path. (Confirm the actual ServerJDK version for your installation.) For example:

    SET PATH=%PATH%;C:\Program Files\Common Files\Attachmate\ServerJDK\1.7.0_67\bin

  3. Define a variable called FXG_ROOT that points to your FileXpress installation folder. For example:

    SET FXG_ROOT=C:\Program Files\Attachmate\FileXpress\Gateway

  4. Run the following command, replacing nonfips.p12 and fips.p12 with your source and destination filenames. (This is a single-line command. Hyphens shown here are all required characters. Ensure that there are no spaces after hyphens and semicolons.)

    keytool -providerName JsafeJCE -providerClass com.rsa.jsafe.provider.JsafeJCE -providerPath "%FXG_ROOT%\TransferServer\lib\cryptojce-6.1.1.2014.0123.jar;%FXG_ROOT%\TransferServer\lib\cryptojcommon-6.1.1.2014.0123.jar;%FXG_ROOT%\TransferServer\lib\jcmFIPS-6.1.1.2014.0123.jar" -importkeystore -srcstoretype PKCS12 -srckeystore nonfips.p12 -destkeystore fips.p12 -deststoretype PKCS12

  5. Enter passwords when prompted using the same password for destination keystore and source keystore.

    Note: If these passwords don't match, the server will not be able to use the keystore and the browser will not be able to launch the application.