Manually modifying the web server keystore for FIPS mode compliance

Use this procedure to modify the keystore file when you have enabled FIPS prior to creating a server certificate according to the SSMC procedures.

Procedure
  1. From the system where you installed SSMC, rename the default keystore so you can easily revert to a non-FIPS installation. 
    ssmcadmin@server2:/opt/hpe/ssmc/ssmcbase/etc$ pwd
/opt/hpe/ssmc/ssmcbase/etc
ssmcadmin@server2:/opt/hpe/ssmc/ssmcbase/etc$ mv keystore keystore.nofps
  2. Navigate to /opt/hpe/ssmc/ssmcbase/fips/jre/bin, and then run the following command: 
    ./keytool -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
 -providerpath /opt/hpe/ssmc/ssmcbase/bcFipsJars/bc-fips-1.0.1.jar
 -importkeystore -srckeystore /opt/hpe/ssmc/ssmcbase/etc/keystore.nofps
 -destkeystore /opt/hpe/ssmc/ssmcbase/etc/keystore
 -srcstoretype JKS -deststoretype BCFKS -srcstorepass <store password>
 -deststorepass <store password> -srckeypass <key password>
 -destkeypass <key password> -alias jetty
  3. Update the jetty-ssl-context.xml file in /opt/hpe/ssmc/ssmcbase/etc with the passwords used by the keystore:

    • If you changed the default password to the keystore as a whole, modify the KeyStorePassword entry.

    • If you changed the password to the private key inside the keystore, change the KeyManagerPassword.

    • If your security policy requires obfuscating passwords prior to storing them in configuration files, follow the procedure mentioned in the section Using obfuscated passwords in configuration files.