Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

It is a recommended best practice to define a JVM system trust store that contains the minimum set of trusted CA certificates required for the IdP to function. Most or all All of the IdP's features support explicit configuration of trust material on a per-component/feature basis and we strongly recommend that approach. Where a system-level set is necessary, it should be minimized (ideally empty) to prevent accidental use of unexpected trust anchors.

...

Use this Bash script to generate a PKCS#12 trust store. The only requirement for the script is a functional JDK with the keytool utility on the path.

Sample script usage
Code Block
languagebashtitleSample script usage
marvin@petros:~$ ls TrustedCerts/
vtc1sca.pem	vtgrootca.pem	vtmwca.pem	vtuca.pem
vtgqsca.pem	vtgsca.pem	vtrootca.pem
marvin@petros:~$ gen-truststore.sh TrustedCerts/ $IDP_HOME/conf/minimal-system-trust.p12
Processing TrustedCerts/vtc1sca.pem
Certificate was added to keystore
Processing TrustedCerts/vtgqsca.pem
Certificate was added to keystore
Processing TrustedCerts/vtgrootca.pem
Certificate was added to keystore
Processing TrustedCerts/vtgsca.pem
Certificate was added to keystore
Processing TrustedCerts/vtmwca.pem
Certificate was added to keystore
Processing TrustedCerts/vtrootca.pem
Certificate was added to keystore
Processing TrustedCerts/vtuca.pem
Certificate was added to keystore
Truststore created with trusted certificates:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 7 entries

vtc1sca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): E4:6F:B9:58:B7:85:CB:DB:93:B6:86:5B:F8:A9:83:7A:B0:B7:D0:27
vtgqsca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 8C:D1:CD:9E:24:3D:7C:15:4C:EC:FA:B8:C1:EA:AA:85:C1:48:DB:11
vtgrootca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): E0:95:6F:11:6F:59:A0:99:79:AB:38:2F:3C:16:16:A9:9A:DB:83:AE
vtgsca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 10:3C:2B:C0:02:C0:4F:F9:5E:D4:85:CE:CD:F8:85:34:6A:63:DC:AB
vtmwca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 95:88:44:22:CE:30:4E:62:B7:4C:83:5F:3B:05:24:0C:BC:D8:3A:83
vtrootca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): AF:6F:EB:42:FA:2F:E4:A2:6E:9F:7F:B5:B5:FF:3A:BC:13:C6:0D:81
vtuca, Dec 14, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): AC:01:D0:4E:23:08:93:BC:BA:F4:50:CA:15:58:2C:3A:88:40:B7:B7

...

Add the following lines to the file $CATALINA_BASE/conf/catalina.properties:

Code Block
languagejava
javax.net.ssl.trustStore=/path/to/your/idp.home/conf/minimal-system-trust.p12
javax.net.ssl.trustStoreType=PKCS12
javax.net.ssl.trustStorePassword=password

...