After you upgrade Enterprise Vault, you may need to reimport the SSL certificate for the Veritas Information Classifier into the Java keystore

Article: 100034115
Last Published: 2021-08-16
Ratings: 0 0
Product(s): Enterprise Vault

Problem

In an Enterprise Vault environment where you use the Veritas Information Classifier to classify archived content, you can secure communications with the Veritas Information Classifier by configuring it to use HTTPS with Secure Sockets Layer (SSL). The process of implementing HTTPS with SSL requires you to install an SSL certificate in Internet Information Services and bind it to the Default Web Site. In addition, if your certificate has not come from a trusted certificate authority, you must import it into the Java Runtime Environment (JRE) keystore that is in the Enterprise Vault installation folder on your Enterprise Vault server (typically, C:\Program Files (x86)\Enterprise Vault\Services\JRE\lib\security\cacerts ).

Each time you upgrade Enterprise Vault, it first makes a backup copy of the cacerts keystore file and then replaces it with a new version of the file. So, you must import your SSL certificate into the new file.

Solution

If you still have your original SSL certificate, you can import it into the new version of the cacerts keystore file by following the procedure that you originally used. The Enterprise Vault guide, Classification using the Veritas Information Classifier, provides instructions on how to do this.

If you no longer have your original SSL certificate, you can export it from the backup copy of the cacerts keystore file and then import it into the new version of the file. Enterprise Vault stores the backup file in the following folder:

C:\Program Files (x86)\Enterprise Vault\Services\backup

Note that the backup file that Enterprise Vault places in this folder overwrites any existing cacerts file in the folder. So, if you perform multiple updates without exporting the certificate, you may lose the version that contains it.

You can use the Keytool utility to export the certificate. This utility is included in the JRE, and you can find instructions on how to run it on the Oracle website. For example, the following command exports the certificate that is associated with the alias EVSVR3 and stores it in the file C:\certs\test.cer:

keytool -export -alias EVSVR3 -file "C:\certs\test.cer" -keystore "C:\Program Files (x86)\Enterprise Vault\Services\backup\cacerts" -storepass changeit

To update the certificate following an EV upgrade, where the cert file is available, use the below command from an elevated command window, adjusting EV_alias.domain.com and C:\[path]\certificate.cer as needed:

"\Program Files (x86)\Enterprise Vault\Services\JRE\bin\keytool.exe" -importcert -trustcacerts -alias EV_alias.domain.com -file C:\[path]\certificate.cer -keystore "C:\Program Files (x86)\Enterprise Vault\Services\JRE\lib\security\cacerts" -storepass changeit

 

Was this content helpful?