Configuring the Keystore

Note: If you are using a SafeNet Assured Technologies Luna HSM, select “Thales Luna (client software 5 and later)”.
  1. From the Provider drop-down list, select your provider.

  2. If you want to store the SSL keys in an Oracle SunJCE keystore, then select the option, Use an Oracle SunJCE keystore for SSL Key. The other keys will be stored in the keystore associated with the provider you selected.

    Important:

    You must select the Use an Oracle SunJCE keystore for SSL Key option if you are using one of the following HSMs:

    • AEP Keyper

    • Thales Luna Network

    • Thales Luna SA for Government.

    Note: If you are using an HSM, then please consider utilizing this option (see previous Important note). All crypto operations required by SSL ciphers are implemented by HSM vendors (or Oracle Sun Java JDK in the case of an Oracle SunJCE provider). They are not implemented by HID Global. Recent changes in Java SSL implementation are not compatible across the board with JCA provider implementations by HSM vendors.

    About the Regenerate Keys option: You must be careful to determine whether or not to regenerate keys and which keys to regenerate.

    Here are some of the common scenarios.

    Case 1: If this is a fresh install (not an upgrade install), then you must regenerate all the keys.

    Case 2: If this is an upgrade install and you are configuring the keystore to use the keystore used by the previous version, then do NOT regenerate keys, except for:

    • If you selected the option Use an Oracle SunJCE keystore for SSL Key, then regenerate ONLY the SSL key.

    • An exception to the previous statement is that if you already made use of the option available by one of the hot fixes to use SunJCE for SSL keys, then you do not need to regenerate SSL key.

  3. Select the keys you want to regenerate: Symmetric Protection Key, Asymmetric Signature Key, Asymmetric Audit Log Key, and Asymmetric SSL Key. For each key type, select the desired algorithm and key sizes in the drop-down lists. The key sizes available may be limited based on the capabilities of the selected provider.

    Note: For Symmetric Protection Key of 192 and greater, Java installation must use an unlimited cryptographic policy. Depending on the installed Java version, this can require that you update the Java installation with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files.
  4. Enter the Certificate Distinguished Name. The Validation Authority Configuration automatically specifies a Distinguished Name using the Organization Name you provided earlier. This name is the identity that the Validation Authority uses in its digital certificates. You can specify a different distinguished name by entering the name in the text box.

  5. Enter the Certificate Validity Period.

  6. Select the Message Digest Algorithms for Signatures and OCSP Response Data.

  7. Based on your corporate security policy, select the Prompt for Password at Server Start-up option. This will require an administrator to type the keystore password when Validation Authority starts.

  8. As an alternative, for higher convenience, do not select the Prompt for Password at Server Start-up option; Validation Authority then starts without prompting for the keystore password.

    For Windows systems, if enabled, use server.bat start to start the Validation Authority server rather than using the Windows service.

  9. Enter and confirm the Password to be used to protect the keystore.

    Note: When using an HSM, the keystore password refers to the PIN used to access the HSM.
  10. Click Next to continue to configure database.

    Note: During the Validation Authority configuration, and whenever you start the Validation Authority server, you will be prompted to provide the keystore partition password. The prompting for password at server startup is controlled by the Prompt for Password at Server Start-up parameter described above.

  11. Click OK after you enter the keystore password.

You will be given up to three opportunities to enter the correct password.

If you fail to provide the correct password three times (or attempt to close the dialog without entering the password), then you will see the following dialog informing you that the keystore login failed.

To try again, restart the Validation Authority Configuration utility.

Note: The HSM will limit retries, lock you out, or destroy keys if you repeatedly fail to enter the correct keystore password.