Converting JKS format Java keystores to BCFKS format

Description

In eDiscovery version 10.0, a new keystore format was introduced to improve security and compatibility with modern encryption methods.

Prior to version 10.0 the Tomcat keystore, server.keystore, and the Java Certificate Autority keystore, cacerts,  used by eDiscovery were in Java KeyStore format (JKS).  The new format used in version 10.0 and above is Bouncy Castle Foundation KeyStore format (BCFKS) and is required for both the server.keystore and cacerts files.

During an upgrade or fresh installation, this conversion takes place automatically.  On occasion, it may be necessary to manually convert a JKS formatted keystore to BCFKS format, such as when implementing secure LDAP (LDAPs). The Veritas eDiscovery version 10.0 System Administration Guide provides a command line to convert a JKS formatted keystore to the BCFKS format.

Steps:

Option I.  Using the Java Keytool command to convert JKS to  BCFKS format

A.  Converting the Tomcat keystore, server.keystore:

1. Open an administrative command prompt in D:\v100\config\templates\tomcat
2. Run the following command to convert the server.keystore from JKS to BCFKS format:
   keytool -importkeystore -srckeystore server.keystore  -srcstoretype JKS -srcstorepass 123456 -destkeystore server.keystore.bcfks -deststorepass 123456 -deststoretype BCFKS -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
   
   Note:  The above command assumes the current keystore password is 123456.  If you have used another password, please replace both password values with the new password. 
   Also, if copying/pasting this command, ensure that no extra characters are randomly inserted into the command.
3. Upon completion of the conversion, rename the server.keystore to server.keystore.jks then rename the converted keystore from server.keystore.bcfks to server.keystore.
4. When convenient, run Option #7 in the Clearwell Utility on the server desktop to deploy the converted certificate.

B.  Converting the Java Certificate Authority keystore, cacerts:

1. Open an administrative command prompt in the folder containing the cacerts file for the current version of Java.
   For example:  C:\jdk-8u251-windows-x64\jre\lib\security folder in version 10.0
2. Run the following command to convert the cacerts from JKS to BCFKS format:
   keytool -importkeystore -srckeystore cacerts  -srcstoretype JKS -srcstorepass changeit -destkeystore cacerts.bcfks -deststorepass changeit -deststoretype BCFKS -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
   
   Note:  The above command assumes the current cacerts password is changeit.  If you have used another password, please replace both password values with the new password.

Option II.  Using the open source tool called KeyStore Explorer to convert from JKS to BCFKS format.

Download and install KeyStore Explorer on the eDiscovery primary server following the defaults.

A. To convert the Tomcat keystore,  server.keystore:

1. Open Keystore Explorer and use File > Open to navigate to D:\v100\config\templates\tomcat and open the server.keystore file.
2. On the menu, open Tools > Change KeyStore Type and select BCFKS.
   
3. On the menu, select File > Save As and name the file server.keystore.bcfks
4. Exit KeyStore Explorer and navigate to D:\v100\config\templates\tomcat
5. Rename the server.keystore to server.keystore.jks then rename the converted keystore from server.keystore.bcfks to server.keystore.
6. When convenient, run Option #7 in the Clearwell Utility on the server desktop to deploy the converted certificate.

B.  To convert the Java Certificate Authority keystore, cacerts:

1. Open Keystore Explorer and use File > Open to navigate to the folder containing the cacerts file for the current version of Java.
   For example:  C:\jdk-8u251-windows-x64\jre\lib\security folder in version 10.0
2. On the menu, open Tools > Change KeyStore Type and select BCFKS.
3. On the menu, select File > Save As and name the file cacerts.bcfks
   Note: It is not necessary to rename the original cacerts file.  Other Java applications will use this file while eDiscovery will use the cacerts.bcfks.
4. There is no need to restart services for this change to take effect.