Replacing the default truststore file

A truststore file contains certificates from other clients that you expect to communicate with, or from certificate authorities (CA) that you trust to identify other clients. You can enable client authentication and replace the default truststore file with your own truststore file to ensure that client certificates are validated against the certificates in your truststore.

Before you begin

You must generate your own truststore file with a key and certificate management utility that is approved by the requirements of your organization.

About this task

To replace the default truststore file:

Procedure

  1. Copy your truststore file to the ${server.config.dir}/resources/security directory on the Global Mailbox server.
  2. Open the server.xml file in the /opt/wlp/usr/servers/defaultServer directory.
  3. Add an entry for the truststore, specifying the location, type, and password of the truststore:
    For example:
    <keyStore id="defaultTrustStore" location="trust.jks" type="JKS" password="trustme" />
    Tip: The password can be obfuscated with the Liberty securityUtility tool.
  4. Specify the truststore and enable client authentication by editing trustStoreRef and clientAuthentication in defaultSSLConfig:
    Client authentication is disabled by default, so you must specify true for clientAuthentication to enable client authentication:
    <ssl id="defaultSSLConfig" trustStoreRef="defaultTrustStore" clientAuthentication="true" .../>
  5. Save the server.xml file.
  6. Restart the Liberty server to process the changes you make to the truststore file.
  7. Optional: Check the messages.log file in /opt/wlp/usr/servers/defaultServer/logs to make sure that there are not any errors with the truststore file change.
  8. Optional: Log in to the Global Mailbox administrator user interface to verify that the SSL connection is successful.