Initializing help system before first use

Protecting the Execution Authentication KeyStore

Communication between the Insight Server and its Execution Workers is secured with JWT-based authentication and a public/private key pair generated at server installation. This is referred to as Execution Authentication.
Important Only the server has access to the sensitive private key; the workers are configured with the associated public key.
You must have administrator rights on the host machines.
The private key and its public certificate reside in the Java KeyStore insight-execution-keystore, the certificate is also exported to insight-execution-jwt.cert for convenience when copying to the execution workers. The Insight Server installer creates the insight-execution-keystore and its private key with the default Java KeyStore password of changeit.

Protecting the Execution Authentication KeyStore on Windows

  1. Generate a new execution KeyStore and certificate, protected by a securely random password. Perform the following steps:
    1. Open a command prompt. 
      cd %PROGRAMDATA%\FICO\Xpress Insight\Server\config
    2. Rename the existing KeyStore and certificate. 
      ren insight-execution-keystore insight-execution-keystore.old
ren insight-execution-jwt.cert insight-execution-jwt.cert.old
    3. Generate a new public/private keypair in the file insight-execution-keystore with a new password. 
      keytool -genkey -v -alias "insight-execution-jwt" ^
        -dname "cn=insight-execution-jwt, ou=Unknown, o=Unknown, c=Unknown" ^
        -storetype PKCS12 -keyalg RSA -keysize 2048 -validity 10000 ^
        -keystore "insight-execution-keystore" -storepass "securely-random-password"
      Note The symbol ^ indicates the command continues to the next displayed line.
    4. Export the new public key as a certificate in the file insight-execution-jwt.cert. 
      Keytool -export -v -alias "insight-execution-jwt" -rfc ^
        -keystore "insight-execution-keystore" -storepass "securely-random-password" ^
        -file "insight-execution-jwt.cert"
  2. Configure the Insight Server with the new securely random password. Edit application.properties and configure the server with the KeyStore password used above. This should be supplied as an encrypted value, see Encrypting Sensitive Information in Configuration Files. 
    insight.server.execution.authentication.key-store-password=ENC(encrypted securely-random-password)
  3. Restart the server.
  4. Copy the new execution authentication certificate insight-execution-jwt.cert (created in step 1 of this Windows procedure) from the server to the workers, replacing the worker's existing certificate.
    Copy the file from: 
    %PROGRAMDATA%\Fico\Xpress Insight\Server\config\insight-execution-jwt.cert
    To this location: 
    %PROGRAMDATA%\Fico\Xpress Insight\Worker\config\insight-execution-jwt.cert
    Note This may potentially be on a separate host.
  5. Remove the old KeyStore and certificate files from the server created in step 1 of this Windows procedure.
    • insight-execution-keystore.old
    • insight-execution-cert.old

Protecting the Execution Authentication KeyStore on Linux

  1. Generate a new execution KeyStore and certificate, protected by a securely random password. Perform the steps below:
    1. Open a terminal window. 
      cd /etc/fico-xpress-insight-server
    2. Rename the existing KeyStore and certificate. 
      mv insight-execution-keystore insight-execution-keystore.old
mv insight-execution-jwt.cert insight-execution-jwt.cert.old
    3. Generate a new public/private keypair in the file insight-execution-keystore with a new password. 
      keytool -genkey -v -alias "insight-execution-jwt" \
        -dname "cn=insight-execution-jwt, ou=Unknown, o=Unknown, c=Unknown" \
        -storetype PKCS12 -keyalg RSA -keysize 2048 -validity 10000 \
        -keystore "insight-execution-keystore" -storepass "securely-random-password"
      Note The symbol \ indicates the command continues to the next displayed line.
    4. Export the new public key as a certificate in the file insight-execution-jwt.cert. 
      Keytool -export -v -alias "insight-execution-jwt" -rfc \
        -keystore "insight-execution-keystore" -storepass "securely-random-password" \
        -file "insight-execution-jwt.cert"
  2. Configure the Insight Server with the new securely random password. Edit application.properties and configure the server with the KeyStore password used above. This should be supplied as an encrypted value, see Encrypting Sensitive Information in Configuration Files. 
    insight.server.execution.authentication.key-store-password=ENC(encrypted securely-random-password)
  3. Restart the server.
  4. Copy the new execution authentication certificate insight-execution-jwt.cert (created in step 1 of this Linux procedure) from the server to the workers, replacing the worker's existing certificate.
    Copy the file from: 
    /etc/fico-xpress-insight-server/insight-execution-jwt.cert
    To this location: 
    /etc/fico-xpress-insight-worker/insight-execution-jwt.cert
    Note This may potentially be on a separate host.
  5. Remove the old KeyStore and certificate files from the server created in step 1 of this Linux procedure.
    • insight-execution-keystore.old
    • insight-execution-cert.old
Parent Topic Securing Xpress Insight 5