How to use a custom certificate on BlueStripe Management Server

By default, the FactFinder Management Server and Collectors use a default BlueStripe self-signed certificate and private key to encrypt communication. Starting with V8.1.0 these can be replaced with custom self-signed or Certificate Authority (CA) signed certificates.

The Management Server has a single private key for use in identifying itself. The Management Server's private key is used for making secure connections to the Web Console and API clients and Collectors. This private key is stored in the config directory under the installation directory. By default, the BlueStripe self-signed certificate and private key is installed.


Each Collector must have a public certificate for each Management Server it is authorized to access. These public certificates is stored in the config directory under the installation directory. Removing a Management Server's certificate from a Collector blocks subsequent access. If a Management Server's certificate is signed by a Certificate Authority, the CA's public certificate must also be included in the config directory on the Collector. Starting with V8.1.0 you must "opt-in" to use the BlueStripe self-signed certificate.

Each Web Browser must accept the certificate into it's Trust Store for Web Console connections. Using the BlueStripe self-signed certificate will cause self-signed SSL Certificate Warnings, and will need to be added as a Security Exception to trust the site. You can disabled HTTPS for the Web Console, by adding/changing this option in the FactFinderMS.properties file and restarting the Management Server: bluestripe.web.api.http.enabled = true

Recommend Upgrade Process to use a custom certificate

The recommended process to roll-out a new certificate to minimize loss of connectivity


1. Upgrade the Management Server which will continue to use the default BlueStripe self-signed certificate and private key.

2. Upgrade the Collectors passing in the location of the new Management Server public certificate(s) and (optionally) the CA public certificate, but don't select the option to remove the BlueStripe self-signed certificate. If doing silent installs you must pass a new installation flag "/DefaultCert" or "--defaultcert" to opt-in.

3. Install the Management Server's new certificate and private key and restart. This will force new connections to use the new certificate.

4. Optionally delete the BlueStripe self-signed certificate at the Collectors.

Refer to the Administrator's Guide for more information
  • Installing Custom Certificates under the Management Server
  • Collector Install and Silent Install
Management Server configuration options

# Whether to use SSL when connecting with collectors.
bluestripe.factfinder.ms.server.useSSL = true

# KeyStore Configuration
# Sets the filename of the keystore to use for secure connections.
# If a custom file is used, you must generate a data file with FactFinderKeyStoreTool. Run FactFinderKeyStoreTool -? for usage.
bluestripe.ms.keystore=factfinder.p12

Properties

Article ID: 3134886 - Last Review: 01/11/2016 02:29:00 - Revision: 1.0

BlueStripe

  • KB3134886
Feedback