iWay Application Adapter for Microsoft Dynamics CRM 2011 On-Premises User's Guide > Configuring the iWay WCF Routing Service (WCF Router) > Installing a Certificate as a Trusted Certificate in the Java Keystore

Installing a Certificate as a Trusted Certificate in the Java Keystore

How to:

Create a Java Trust Store File for the Server and Add a Server Certificate to the Java Trust Store File
Create a Java Trust Store File for the Client and Add a Client Certificate to the Java Trust Store File

If you are creating your own certificates for testing purposes, then consult the Microsoft documentation on using the Certificate Creation Tool (MakeCert.exe), or see the following website, which provides an article describing how to create temporary certificates for use during development:

http://msdn.microsoft.com/en-us/library/ms733813.aspx

Note: You must generate a PFX file instead of a CER file to be able to assign a SSL certificate to a port.

The following certificates are required:

A root certificate either from a signing authority or a self signed certificate (root.cer).
A server certificate, created from the root certificate (server.cer).
A client certificate, created from the root certificate (client.cer).

PFX files are used to store the certificates and keys in one file on Windows systems (Personal Information Exchange PKCS#12 or PFX format). The PEM format can be used on non-Windows systems.

A PFX copy of the server certificate is required, installed into the Windows certificate store, which can be created using the Certificate Creation Tool (MakeCert.exe).

A PFX copy of the client certificate is required, which can be created using the Certificate Creation Tool (MakeCert.exe).

The server certificate PFX file (server.pfx) is installed in the host credentials store file, and the certificate thumbprint is used to bind the SSL Socket for communication over HTTPS. The Java Virtual Machine (JVM) of the adapter server will be used to create a keystore containing the server certificate and (optionally) a client certificate.

Before you create a SSL (HTTPS) connection using the iWay Application Adapter for Microsoft Dynamics CRM 2011 On-Premises, the certificate for the machine running the adapter must first be installed as a trusted certificate in the Java keystore.

Procedure: How to Create a Java Trust Store File for the Server and Add a Server Certificate to the Java Trust Store File

Obtain a copy of the root certificate in the DER (X.509 binary) format to create the trust store.
Copy the root.cer file to the following directory:
```
JAVA_HOME\jre\bin\root.cer
```
where:

JAVA_HOME

Is the root installation directory of your Java Runtime Environment (JRE).

Note: The root.cer file contains the CN=machine.domain.idomain setting of the machine running iWay Service Manager (iSM) and the adapter. For example:
```
CN=Server24.mySite.com
```
where:

Server24

Is the name of the machine as located by the DNS server (Domain Name System). This value is case-sensitive.

mySite

Is the domain that identifies where the machine is running.

com

Is the Internet-level domain where the domain (for example, mySite) is located.
Open a command prompt window with Administrator privileges and navigate to the following directory:
```
JAVA_HOME\jre\bin
```
Execute the following command:
```
keytool -importcert -file drive:\path\root.cer -keystore -file drive:\path\trustStore.jks -storetype jks -alias crm2011AdapterKeyStore
```
where:

-importcert

Is the command used to import the certificate.

-file drive:\path\root.cer

Is the path to the root certificate. For example, c:\certs.

-keystore

Is the command used to create the keystore.

-file drive:\path\trustStore.jks

Is the path and name of the keystore file to be created during the import process.

-storetype

Specifies what type of storage to be created. The type must be jks (Java KeyStore).

-alias

Is a unique name for the keystore. It is also an alternate name for the keystore to help understand its usage.
When prompted to enter a password, type a password that has a minimum length of six characters.
Retype this same password for validation purposes.

The keytool program displays information about the imported root certificate used in the keytool command. The keytool program provides a prompts, which asks you whether you want to trust the certificate.
Type Yes and press Enter.

If executed successfully, a message is displayed indicating that the certificate was added to the keystore and a new file called trustStore.jks has been created.

The server.pfx file is imported into the Windows certificate store as described in Using SSL Server Certificates.

Procedure: How to Create a Java Trust Store File for the Client and Add a Client Certificate to the Java Trust Store File

Create a copy of the client.pfx file that was created from the client.cer (certificate) file.

Note: In this example, the root.cer file has been used to create the client.cer file.
Open a command prompt window with Administrator privileges and navigate to the following directory:
```
JAVA_HOME\jre\bin
```
where:

JAVA_HOME

Is the root installation directory of your Java Runtime Environment (JRE).
Execute the following command:
```
keytool -importkeystore -deststorepass destpass -destkeystore
drive:\path\clientStore.jks -srckeystore drive:\path\client.pfx -srcstoretype PKCS12 -srcstorepass 123456 
```
where:

-importkeystore

Is the command used to import the keystore.

-deststorepass

Is a password for the keystore to be created. The password must be a standard alphanumeric 32-character password.

-destkeystore drive:\path\clientStore.jks

Is the path for the destination keystore and where the client certificate should be imported.

-srckeystore drive:\path\client.pfx

Is the source file (keystore) where the client certificate with the private key is located.

-srcstoretype

Is the type of the original source. This value must always be set to PKCS12.

-srcstorepass

Is the password for the keystore source file (client.pfx). This password was specified at the time the file was created, and must be a standard alphanumeric 32-character password.

Note: As of iSM Version 6.1.7, clientStore.jks must be the file name used for the client store.
When the trustStore.jks and clientStore.jks files have been created, copy these files to the following directory:
```
iwayhome\lib
```
where:

iwayhome

Is the root location where iWay Service Manager (iSM) is installed.
When the adapter target is being created, specify the following parameter values:
if you are using HTTPS/SSL with client authentication:
- Trusted keystore location:
```
iwayhome\lib\trustStore.jks
```
If you are using the client keystore:
- Client keystore location:
```
{iwayhome}\lib\clientStore.jks
```
- Client keystore password:
  This must be the same password that was specified for the -deststorepass setting in step 3.
In the router configuration file, ensure that the line in the router for the baseAddress matches exactly the CN used for the server.pfx file, and the port matches the bound SSL port number, as shown below:
```
<baseAddresses>
    <add baseAddress="https://server.site.com:port/RoutingService"/>
</baseAddresses>
```

Ensure that the correct binding type is set in the router configuration file, as shown below:

<binding>
      <security mode="Transport">
          <transport clientCredentialType="Certificate"/> 
      </security>
</binding>