Setting Up a Trusted Certificate

Use these instructions to update from the default self-signed certificate in Fortra Application Hub, to a trusted certificate.

On Linux

  1. Login as root or sudo su to run as a superuser on the system where you have Fortra Application Hub installed.

  2. Transfer your keystore file to your Fortra Application Hub server’s file system

    EXAMPLE: sftp root@<your-hs1-ip-addr>

    • The best place to store the new keystore file is in /etc/opt/helpsystems/one/. This is where the default self-signed certificate is stored. Storing the new keystore file in the same location eliminates the need to change folder permissions in order for Fortra Application Hub to access the file.

    • If you need to use a different directory, you must allow read & execute permission to the folder your keystore file is in.

      EXAMPLE: chmod 755 /home/user

  3. Change ownership of the new keystore file to the helpsys user.

    EXAMPLE: chown helpsys helpsysdev.com.pfx

  4. Grant read permission to the keystore file.

    EXAMPLE: chmod 644 helpsysdev.com.pfx

  5. (Optional) Make a copy of /etc/opt/helpsystems/one/keystoreProperties.xml to revert back if necessary. Update the ownership of this backup file to the user helpsys. This helps avoid errors when starting Fortra Application Hub in case you need to revert back.

  6. Edit /etc/opt/helpsystems/one/keystoreProperties.xml as follows:

    <entry key="keystoreFile">/pathname/filename</entry>

    EXAMPLE: /etc/opt/helpsystems/one/helpsysdev.com.pfx

    <entry key="keystoreType">your-file-type</entry>

    EXAMPLE: PKCS12

    <entry key="keystorePass">your-cert-password</entry>

    <entry key="keyAlias">your-alias</entry>

  7. Restart all Fortra Application Hub services
    /opt/helpsystems/one/hs1-ctl.sh restart

  8. Wait a couple minutes for Tomcat, etc., to fully start.

  9. Open your web browser to https://your-hs1-hostname.com:3030/HelpSystemsOne/#/ and you should see a valid, secure certificate.

On the IBM i

  1. Transfer your keystore file to the IFS on the IBM i where Fortra Application Hub is installed.

  2. Put the certificate file in the /FortraApplicationHub/config directory.

  3. Change the owner of the certificates file to FAHUSER.

  4. Update /FortraApplicationHub/config/keystoreProperties.xml as follows:

    <entry key="keystoreFile">/pathname/filename</entry>

    EXAMPLE: FortraApplicationHub/config/hs1.p12

    <entry key="keystoreType">your-file-type</entry>

    EXAMPLE: PKCS12

    <entry key="keystorePass">your-cert-password</entry>

    <entry key="keyAlias">your-alias</entry>

  5. From the IBM i command line, end and start Fortra Application Hub using the following commands:

    1. FORTRAHUB/FAHSTRHUB (wait for jobs to end. wrkusrjob FAHUSER to verify)

    2. FORTRAHUB/FAHENDHUB

  6. Open your web browser to https://your-hs1-hostname.com:3030/HelpSystemsOne/#/ and you should see a valid, secure certificate.

On Windows

  1. Login as administrator on the system where you have Fortra Application Hub installed.

  2. Transfer your keystore file to your Fortra Application Hub server’s file system.

    • The best place to store the new keystore file is in C:\ProgramData\HelpSystems\HS1. This is where the default self-signed certificate is stored.

    • Check that the account “LOCAL SERVICE” has read access to the new file. If you have used the existing default location then these should be the default permissions.

  3. (Optional) Make a copy of C:\ProgramData\HelpSystems\HS1\keystoreProperties.xml to revert back if necessary. Update the ownership of this backup file to the user helpsys. This will help avoid errors in starting Fortra Application Hub in case you need to revert back.

  4. Edit C:\ProgramData\HelpSystems\HS1\keystoreProperties.xml as follows:

    <entry key="keystoreFile">/pathname/filename</entry>

    EXAMPLE: C:\ProgramData\HelpSystems\HS1\hs1new.p12

  5. If the format of the Key Store has changed, amend the following value:

    <entry key="keystoreType">your-file-type</entry>

    EXAMPLE: PKCS12

  6. Specify the new password and the alias in the following values:

    <entry key="keystorePass">your-cert-password</entry>

    <entry key="keyAlias">your-alias</entry>

  7. Restart the service named “Fortra Application Hub Core Service” using either the service control manager or the command:

    Restart-Service fahcore

    Alternatively reboot the system.

  8. Wait a couple minutes for Tomcat, etc., to fully start.

  9. Open your web browser to https://your-hs1-hostname.com:3030/HelpSystemsOne/#/ and you should see a valid, secure certificate.

Troubleshooting tips

  • Verify and update the Fortra Application Hub URL so that it is also using the fully qualified hostname to ensure Analytics will work with the new certificate also.

  • Restart your browser, clear cache, and/or use private/incognito mode if you connected to HS1 prior to updating the certificate.

An example of an updated keystoreProperties.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>keystore props</comment>
<entry key="keystoreFile">/etc/opt/helpsystems/one/helpsysdev.com.pfx</entry>
<entry key="keystoreType">PKCS12</entry>
<entry key="keystorePass">cert-password</entry>
<entry key="keyAlias">1</entry>
</properties>