Renew trusted peer certificates (Folio/Mindbreeze)

Last update: 14 November 2017

Summary

The search communication between Fabasoft Folio and Fabasoft Mindbreeze Enterprise is secured by a certificate.

During the Setup process of the Fabasoft Folio Mindbreeze integration, a self-signed CA and a certificate pair is created automatically with a lifetime of one year. Fabasoft recommends to replace this self-signed CA with the corporate CA and create an own key pair from your own CA.

If the automatically created certificate expires, searching the Mindbreeze index within Fabasoft Folio will not work anymore and error messages will be thrown in the Windows Event log / Linux system log.

This documentation explains the procedure to renew the trusted peer certificates.

Solution

Option 1: Provide a certificate of your corporate CA (recommended)

Use this option if you have a public key infrastructure (PKI) in your infrastructure and know how to create client certificates. Client certificates are not meant as SSL certificates!

Prepare the following files from your CA:

  • The CA certificate in X509 PEM format (if you use intermediate CA's, use the CA issued the client certificate)
  • The client certificate in X509 PEM format (make sure that the certificate is issued as Client certificate not Server certificate)
  • The private key of the client certificate in PEM format
  • The pass-phrase of the client certificate.

Continue with the chapter " Installation of the certificates ".

Option 2: Re-create a long-term self-signed certificate

Use this option if you don't have a public key infrastructure (PKI) set up, or you don't need your corporate-own certificates for the communication between Fabasoft Folio and Mindbreeze. Remember that the communication is still secured. This is the easier option to set-up.

The Fabasoft Folio Mindbreeze Integration shippes with a script ( createcertificates.js ) to automatically create a self-signed CA and a client certificate with private key. The default expiration of these certificates is 365 days.

To create certificates with a longer expiration period, follow these steps:

  • Change to the folder C:\Program Files\Fabasoft\Components\MindbreezeIntegration
  • Make a backup of the file createcertificates.js (e.g. by copying the file)
  • Edit createcertificates.js
  • In the first appearance of the shell. Run command line (near the bottom of the file) change the parameter -days 365 to -days 3650 (this means 10 years instead of 1 year)
  • Save and close the file
  • Open the openssl.cnf file
  • Search for the config value default_days (default value is 365)
  • Change the config value to 3650 days
  • Save and close the file
  • Delete the index.txt file.
  • On a command prompt, change to the C:\Program Files\Fabasoft\Components\MindbreezeIntegration directory and run the modified createcertificates.js by entering cscript.exe //b createcertificates.js
  • The created certificates are directly located in the C:\Program Files\Fabasoft\Components\MindbreezeIntegration directory. The following files are needed in the next steps: cacert.pem, request.key, request.pem, passwd .

Continue with the chapter " Installation of the certificates "

Installation of the certificates

Import the new CA to Mindbreeze

  • Open the Mindbreeze Configuration Website (usually http://localhost:23000 on the Mindbreeze server)
  • Navigate to the Certificates tab
  • Upload the cacert.pem certificate. After the upload, the CA is visible under the "Available CAs" section.
  • Select the new certificate as " Trusted peer ". You may delete unneeded CAs in this section. Mindbreeze Configuration: Certificates tab
  • Make sure that the Mindbreeze processes get restarted after you have changed the CA.

Import the client certificate to Fabasoft Folio

  • Import the request.pem file to Fabasoft Folio.
  • Copy the object to the clipboard.
  • In Folio, navigate to Domain Administration / Domain Objects / Services .
  • Do this step for every "Indexing Service" object:
    • Edit the Indexing Service object
    • Paste the client certificate to the property Client certificate
    • Enter the directory and filename to the Private key string property. The request.key file needs to be copied to each webserver at this location. UNC paths are not valid.
    • Enter the pass-phrase from the passwd file to Pass-phrase of private key . Copy & Paste might paste needless whitespaces, so compare the number of characters.
  • Please remember to copy the request.key file to every webserver. Modify certificate settings in every Indexing Service object

After a recycle of the Fabasoft Folio webservices, the new configuration takes place.

Applies to

  • Fabasoft Folio
  • Fabasoft eGov-Suite

when connected to a Mindbreeze Enterprise installation