if it is running.
- Copy the default <frevvo-home>\tomcat\lib\ frevvoKeystore.jks to another location as a backup
- Login as administrator.
- Make sure the path to the keytool application is configured in your system path. keytool is part of the standard Java distribution (JDK or JRE)). For example, keytool is located in the C:\Program Files\Java\jdkx.x.x\bin directory in the JDK.
- Navigate to <frevvo-home>\ tomcat\lib or to the new location of the keystore if you changed the com.frevvo.security.saml.keystore property in the setenv or service.bat files
Delete the existing certificate:
keytool -delete -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd
If you changed the password from the default, execute this keytool command to change the password in the keystore
keytool -storepasswd -keystore frevvoKeystore.jks - it will ask for the old password - p@ssw0rd and then prompt for the new one - The keystore password must match whatever is in the line that we added to the setenv pr service.bat files.
Generate a new certificate: Here is the command: Change the -dname value to the DNS name of your IDP.
If you changed the values of the com.frevvo.security.saml.key or com.frevvo.security.saml.password properties in the setenv or service.bat files then change the alias in the command and the keypass and storepass password parameters to match those values. The key and store passwords need to be the same as there is only one password property.
The dname in this keytool command specifies the X.500 Distinguished Name to be associated with the alias and is used as the issuer and subject fields in the self-signed certificate. While we provide a sample in the documentation, it is up to the customer (your security policy) to decide what the value should be when the certificate.for your installation is generated. Since this is a self-signed certificate - the dname really could be anything - but here is a link to the Oracle documentation to give you some idea of what you might want to set that too.
Execute this command to create a new certificate and stores it in the keystore.
keytool -genkey -dname "cn=app.frevvo.com" -alias frevvo -keypass p@ssw0rd -keystore frevvoKeystore.jks -storepass p@ssw0rd -keyalg rsa -keysize 2048 -validity 3650
The certificate can be viewed by exporting it to a file. If you changed the password, substitute the new password in the command:
keytool -exportcert -alias frevvo -file frevvo.rfc -rfc -keystore frevvoKeystore.jks -storepass p@ssw0rd
Install the Java Cryptography Extension
The Java Cryptography Extension (JCE) provides a uniform framework for the implementation of security features in Java. These files are needed to avoid an "illegal key size" error which can happen if these files are missing in the Java Development Kit (JDK) software of your on-premise installation.
Determine the version of the Java 8 JDK that you are running by typing java -version in a command window
- If you are using a version of the JDK 8 u161+ , you can skip this step.The correct jar files are already included in the JDK.
- For versions of the JDK 8 previous to u161, follow these steps to install the JCE files into the JDK:
- Go to the Oracle Java SE download page.
- Scroll down … Under "Additional Resources" section you will find "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File"
- Download the version that matches your installed JVM - for example, download UnlimitedJCEPolicyJDK8.zip if you are using JDK/JRE version 8
- Unzip the downloaded zip.
- Copy local_policy.jar and US_export_policy.jar to <JAVA_HOME>/jre/lib/security (Note: these jars are already there so you have to overwrite them)
Section 2 - Create the Live Forms Metadata file