Initializing help system before first use

Protecting the Execution Authentication KeyStore

Communication between the Insight Server and its Execution Workers is secured with JWT-based authentication and a public/private key pair generated at server installation. This is referred to as Execution Authentication.

Important: Only the server has access to the sensitive private key; the workers are configured with the associated public key.
You must have administrator rights on the host machines.
The private key and its public certificate reside in the Java KeyStore insight-execution-keystore, the certificate is also exported to insight-execution-jwt.cert for convenience when copying to the execution workers. The Insight Server installer creates the insight-execution-keystore and its private key with the default Java KeyStore password of changeit.

Protecting the Execution Authentication KeyStore on Windows

  1. Generate a new execution KeyStore and certificate, protected by a securely random password. Perform the following steps:
    1. Open a command prompt. 
      cd %PROGRAMDATA%\FICO\XpressInsight\Server\config
    2. Rename the existing KeyStore and certificate. 
      ren insight-execution-keystore insight-execution-keystore.old
ren insight-execution-jwt.cert insight-execution-jwt.cert.old
    3. Generate a new public/private keypair in the file insight-execution-keystore with a new password. 
      keytool -genkey -v -alias "insight-execution-jwt" ^
        -dname "cn=insight-execution-jwt, ou=Unknown, o=Unknown, c=Unknown" ^
        -storetype PKCS12 -keyalg RSA -keysize 2048 -validity 10000 ^
        -keystore "insight-execution-keystore" -storepass "securely-random-password"
      Note: The symbol ^ indicates the command continues to the next displayed line.
    4. Export the new public key as a certificate in the file insight-execution-jwt.cert. 
      Keytool -export -v -alias "insight-execution-jwt" -rfc ^
        -keystore "insight-execution-keystore" -storepass "securely-random-password" ^
        -file "insight-execution-jwt.cert"
  2. Configure the Insight Server with the new securely random password. Edit application.properties and configure the server with the KeyStore password used above. This should be supplied as an encrypted value, see Encrypting Sensitive Information in Configuration Files. 
    
insight.server.execution.authentication.key-store-password=ENC(encrypted securely-random-password)
  3. Restart the server.
  4. Copy the new execution authentication certificate insight-execution-jwt.cert (created in step 1 of this Windows procedure) from the server to the workers, replacing the worker's existing certificate.
    Copy the file from: 
    %PROGRAMDATA%\Fico\XpressInsight\Server\config\insight-execution-jwt.cert
    To this location: 
    %PROGRAMDATA%\Fico\XpressInsight\Worker\config\insight-execution-jwt.cert
    Note: This may potentially be on a separate host.
  5. Remove the old KeyStore and certificate files from the server created in step 1 of this Windows procedure.
    • insight-execution-keystore.old
    • insight-execution-cert.old

Protecting the Execution Authentication KeyStore on Linux

  1. Generate a new execution KeyStore and certificate, protected by a securely random password. Perform the steps below:
    1. Open a terminal window. 
      cd /etc/fico-xpress-insight-server
    2. Rename the existing KeyStore and certificate. 
      mv insight-execution-keystore insight-execution-keystore.old
mv insight-execution-jwt.cert insight-execution-jwt.cert.old
    3. Generate a new public/private keypair in the file insight-execution-keystore with a new password. 
      keytool -genkey -v -alias "insight-execution-jwt" \
        -dname "cn=insight-execution-jwt, ou=Unknown, o=Unknown, c=Unknown" \
        -storetype PKCS12 -keyalg RSA -keysize 2048 -validity 10000 \
        -keystore "insight-execution-keystore" -storepass "securely-random-password"
      Note: The symbol \ indicates the command continues to the next displayed line.
    4. Export the new public key as a certificate in the file insight-execution-jwt.cert. 
      Keytool -export -v -alias "insight-execution-jwt" -rfc \
        -keystore "insight-execution-keystore" -storepass "securely-random-password" \
        -file "insight-execution-jwt.cert"
  2. Configure the Insight Server with the new securely random password. Edit application.properties and configure the server with the KeyStore password used above. This should be supplied as an encrypted value, see Encrypting Sensitive Information in Configuration Files. 
    insight.server.execution.authentication.key-store-password=ENC(encrypted securely-random-password)
  3. Restart the server.
  4. Copy the new execution authentication certificate insight-execution-jwt.cert (created in step 1 of this Linux procedure) from the server to the workers, replacing the worker's existing certificate.
    Copy the file from: 
    /etc/fico-xpress-insight-server/insight-execution-jwt.cert
    To this location: 
    /etc/fico-xpress-insight-worker/insight-execution-jwt.cert
    Note: This may potentially be on a separate host.
  5. Remove the old KeyStore and certificate files from the server created in step 1 of this Linux procedure.
    • insight-execution-keystore.old
    • insight-execution-cert.old
Parent Topic Securing Xpress Insight

© 2001-2025 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.