Re-encrypt a PKCS#12 file to Use Stronger Encryption
If you configure a FileXpress server to authenticate with a PKCS#12 file, the file must be encrypted with a FIPS-approved algorithm. If the encryption is too weak, your browser will not be able to connect to the service and the console log file will include a message saying "java.io.IOException: Could not decrypt data." You can use the keytool utility to re-encrypt your package.
To re-encrypt a PKCS#12 file using a FIPS-approved algorithm
- Open a Command Prompt window running as an administrator. (Start > All Programs > Accessories, right-click Command Prompt > Run as administrator.)
- Use a SET command to add the keytool folder to your path. (Confirm the actual ServerJDK version for your installation.) For example:
SET PATH=%PATH%;C:\Program Files\Common Files\Attachmate\ServerJDK\1.7.0_67\bin
- Define a variable called FXG_ROOT that points to your FileXpress installation folder. For example:
SET FXG_ROOT=C:\Program Files\Attachmate\FileXpress\Gateway
- Run the following command, replacing nonfips.p12 and fips.p12 with your source and destination filenames. (This is a single-line command. Hyphens shown here are all required characters. Ensure that there are no spaces after hyphens and semicolons.)
keytool -providerName JsafeJCE -providerClass com.rsa.jsafe.provider.JsafeJCE -providerPath "%FXG_ROOT%\TransferServer\lib\cryptojce-6.1.1.2014.0123.jar;%FXG_ROOT%\TransferServer\lib\cryptojcommon-6.1.1.2014.0123.jar;%FXG_ROOT%\TransferServer\lib\jcmFIPS-6.1.1.2014.0123.jar" -importkeystore -srcstoretype PKCS12 -srckeystore nonfips.p12 -destkeystore fips.p12 -deststoretype PKCS12
- Enter passwords when prompted using the same password for destination keystore and source keystore.
Note: If these passwords don't match, the server will not be able to use the keystore and the browser will not be able to launch the application.
|