A custom certificate that is verified by a certificate authority provides increased
trustworthiness about the identity of the certificate owner. You can replace the default keystore
file with your own keystore file and server certificate.
Before you begin
You must generate your own server certificate and keystore file with a key and certificate
management utility that is approved by the requirements of your organization.
About this task
To replace the default keystore file:
Procedure
-
Locate your keystore file to use in Global Mailbox.
-
Copy your keystore file in the ${server.config.dir}/resources/security
directory.
-
Locate the server.xml file in the
/opt/wlp/usr/servers/defaultServer directory.
-
Edit the defaultKeyStore property to specify location,
type, and password parameters:
For
example:
<keyStore id="defaultKeyStore" location="myKey.p12" type="PKCS12"
password="opensesame" />
Tip: The password can be obfuscated with the Liberty
securityUtility tool.
Important: If the keystore contains more than one key, specify the alias of the key in
the keystore for the server certificate by editing
serverKeyAlias in
defaultSSLConfig:
- Open the server.xml file.
- Specify the serverKeyAlias with the alias of the key in the keystore that
is used for the server
certificate.
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" serverKeyAlias="<alias>"/>
-
Save the server.xml file.
-
Restart the Liberty server to process the changes you make to the keystore file.
- Optional:
Check the messages.log file in
/opt/wlp/usr/servers/defaultServer/logs to make sure that there are not any
errors with the keystore file change.
- Optional:
Log in to the Global Mailbox administrator user
interface to verify that the SSL connection is successful.