Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Removing Reflection for the Web Root Certificates
Technical Note 1647
Last Reviewed 20-Apr-2007
Applies To
Reflection for the Web version 8.0 or higher
Summary

Reflection for the Web includes several trusted root certificates issued by well known certificate authorities, such as VeriSign, Thawte, and Entrust. If your organization uses an internal certificate authority (CA) and does not want to trust any certificates other than those provided by your internal CA, you can remove these certificates. This technical note describes how to view and remove the trusted root certificates included with Reflection for the Web 8.0 or higher.

Reflection for the Web Root Certificates

Reflection for the Web 8.0 or higher includes several trusted root certificates issued by well known certificate authorities. You can view these certificates using the Administrative WebStation. Follow these steps to view the certificates:

  1. Launch the Administrative WebStation.
  2. In the left-navigation bar, click Security Setup and then select the Certificates tab.
  3. Under Administer Terminal Emulator Applet Trusted Certificate List, click View or modify certificates trusted by the terminal emulator applet.

The table titled Trusted Root Certificate Authorities displays the certificates included in your installation of Reflection for the Web.

Removing Reflection for the Web Root Certificates

The trusted root certificates are contained in a trustedca.pfx file. Reflection for the Web includes a PFXTool.jar utility that can be used to remove the certificates from this file. Follow the instructions in the sections below to remove the certificates.

Setting Environment Variables

To use PFXTool.jar, you must temporarily configure the path and classpath environment variables on your server. Follow the steps below to configure these variables.

  1. On your server, open a command prompt.

For example, in Windows, click Start > Run, type cmd, and then click OK.

Note: In Windows, you must leave this command window open during all the steps that follow and while you use PFXTool.jar. If you close the command window, the environment variables will be reset to their original values.

  1. At the command prompt, navigate to the \utilities folder for your Reflection for the Web installation.

For example, for a default installation on Windows, enter the following command:

CD C:\Program Files\ReflectionServer\utilities
  1. Set the classpath variable to include the following files within your installation of Reflection for the Web.
PFXTool.jar
wrqtls12.jar
KeyToolsPro_jce1-2-1_1of2_signed.jar
KeyToolsPro_jce1-2-1_2of2_unsigned.jar

For example, for a default installation on Windows, enter the following command (on one line):

set classpath= C:\Program Files\ReflectionServer\utilities\
PFXTool.jar;C:\Program Files\ReflectionServer\jakarta-tomcat\
webapps\rweb\WEB-INF\lib\wrqtls12.jar;C:\Program Files\
ReflectionServer\jakarta-tomcat\webapps\rweb\WEB-INF\lib\
KeyToolsPro_jce1-2-1_1of2_signed.jar; C:\Program Files\
ReflectionServer\jakarta-tomcat\webapps\rweb\WEB-INF\lib\
KeyToolsPro_jce1-2-1_2of2_unsigned.jar
  1. Set the path variable to point to the \_jvm\bin directory within your Reflection installation.

For example, for a default installation on Windows, enter the following command:

set path=C:\Program Files\Reflection Server\_jvm\bin ; % path %

Removing Certificates

To remove all certificates listed in the trustedca.pfx file, enter the following command (on one line):

java com.wrq.util.pfxtool.PFXTool C:\Program
Files\ReflectionServer\ReflectionData\trustedcerts
\trustedca.pfx –removeAll

Confirming Removal

Once you have removed the certificates, return to the Administrative WebStation and view your certificates again using the procedure described above in the section titled "Reflection for the Web Root Certificates."

Additional Information About PFXTool.jar

This section provides additional information about using the PFXTool.jar utility

PFXTool Help

To display Help for the PFXTool, enter the following command:

java com.wrq.util.pfxtool.PFXTool

The Help file for PFXTool.jar should read as follows:

Usage:
java PFXTool <fully qualified filename of PFX file> [-options]

Where options include:
    -PFXpswd password    password for PFX key store
    -keypswd password    password for the private key in PFX key store
    -verbose    to print detailed information to console
    -toFile <fully qualified file name for output>    
     to print detailed information to a file
    -setVersion <11 digits version number>    to set keystore version
    -removeAll    to delete all the certificates and private keys 
     in the keystore
    -csr    <fully qualified file name of the CA signed the 
     certificate> <fully qualified output file name.>
 
Examples:
    java PFXTool c:\trustedca.pfx -PFXpswd storepassword -keypswd 
privateKeyPassword -setVersion 05003060000
    java PFXTool c:\trustedca.pfx -toFile c:\temp\output.txt
    java PFXTool c:\csr.pfx -csr c:\temp\myCASignedCert.cer 
c:\temp\csrOutput.pfx


Viewing Certificates Using PFXTool

You can use PFXTool to view the certificates listed in the trustedca.pfx file. To display the certificates, enter the following command (on one line):

java com.wrq.util.pfxtool.PFXTool C:\Program
Files\ReflectionServer\ReflectionData\trustedcerts
\trustedca.pfx –verbose

Related Technical Notes
9988 Reflection for the Web Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.