Upgrading CIS 6.2.x host server to advanced security using CIS 19.1+ security server

The CIS 6.2.x host server and CIS 19.1+ security server can use different CA certificate algorithms of since the algorithm has been upgraded on CIS 19.1+. When this happens, the host server cannot directly upgrade to advanced security mode.

The host server and security server must import each others CA to its own truststore. This indicates that they trust each other. Then, a TLS connection can be built for a successful security upgrade.

To import the CA:

  1. Verify that the truststore is available on the host server and security server.

    On the host server, the truststore is named truststore_clserver.jks. This is located at %HCIROOT%/server/certs. If this file is not available, then upgrade the host server to basic mode. Then, the file is automatically generated.

    On the security server, the truststore is named truststore_clsecurity.jks. This is located at %HCIROOT%/security/certs.

  2. Manually import the CA of CIS 6.2.x host server to truststore_clsecurity.jks of the CIS 19.1+ security server.
  3. Restart the CIS 19.1+ security server.
  4. Manually import the CA of CIS 19.1+ security server to truststore_clserver.jks of the CIS 6.2.x host server.
  5. Upgrade the CIS 6.2.x host server to advanced mode using the CIS 19.1+ security server.
    Note: The SHA256withDSA algorithm is not supported by JRE1.8.0_60. This is used in CIS 6.2.3 and previous versions. If the DSA algorithm has been used by the CA on the CIS 19.1+ security server, then upgrade the host server to CIS 6.2.3 or later version.