The Management Server has a single private key for use in identifying itself. The Management Server's private key is used for making secure connections to the Web Console and API clients and Collectors. This private key is stored in the config directory under the installation directory. By default, the BlueStripe self-signed certificate and private key is installed.
Each Collector must have a public certificate for each Management Server it is authorized to access. These public certificates is stored in the config directory under the installation directory. Removing a Management Server's certificate from a Collector blocks subsequent access. If a Management Server's certificate is signed by a Certificate Authority, the CA's public certificate must also be included in the config directory on the Collector. Starting with V8.1.0 you must "opt-in" to use the BlueStripe self-signed certificate.
Each Web Browser must accept the certificate into it's Trust Store for Web Console connections. Using the BlueStripe self-signed certificate will cause self-signed SSL Certificate Warnings, and will need to be added as a Security Exception to trust the site. You can disabled HTTPS for the Web Console, by adding/changing this option in the FactFinderMS.properties file and restarting the Management Server: bluestripe.web.api.http.enabled = true
Recommend Upgrade Process to use a custom certificate
The recommended process to roll-out a new certificate to minimize loss of connectivity
1. Upgrade the Management Server which will continue to use the default BlueStripe self-signed certificate and private key.
2. Upgrade the Collectors passing in the location of the new Management Server public certificate(s) and (optionally) the CA public certificate, but don't select the option to remove the BlueStripe self-signed certificate. If doing silent installs you must pass a new installation flag "/DefaultCert" or "--defaultcert" to opt-in.
3. Install the Management Server's new certificate and private key and restart. This will force new connections to use the new certificate.
4. Optionally delete the BlueStripe self-signed certificate at the Collectors.
Refer to the Administrator's Guide for more information
- Installing Custom Certificates under the Management Server
- Collector Install and Silent Install
# Whether to use SSL when connecting with collectors.
bluestripe.factfinder.ms.server.useSSL = true
# KeyStore Configuration
# Sets the filename of the keystore to use for secure connections.
# If a custom file is used, you must generate a data file with FactFinderKeyStoreTool. Run FactFinderKeyStoreTool -? for usage.
Article ID: 3134886 - Last Review: 11 Jan 2016 - Revision: 1