Default certificates and keystores for the software containers

The dockerDeployZoa.sh and podmanDeployZoa.sh scripts generate a set of self-signed certificates, keystores, and truststores when you install the OCI images for the software containers. These certificates, keystores, and truststores are stored in an OCI volume that is shared among the software containers. For reference, an encoded copy is also stored on the Docker or Podman host system in the ZOA_HOME/zoasvc.tls file.

To keep the software containers running normally, do not remove the zaiops_shared OCI volume. The automatically generated TLS artifacts include the following certificates, keystores, and truststores:
rootCA.crt
Contains the root certificate, which is required to establish an X.509 certificate authority for internal authentication.
zoasvc.crt
Contains the certificate for the common services (such as Apache Kafka, the authentication service, and the gateway service).
zoasvc.key
Contains the private key that is used to secure the zoasvc.crt file.
zoasvc.ks
Contains the keystore in PKCS12 format. It contains the contents of both the zoasvc.crt and zoasvc.key files.
zoasvc.ts
Contains the truststore in PKCS12 format. It contains the contents of the zoasvc.crt file only.
The certificates, keystores, and truststores must be managed with the following commands:
Docker
dockerManageZoa.sh config-certificates
Podman
podmanManageZoa.sh config-certificates
Important:
  • The certificate alias that is used in the keystore and the truststore is zoa-services.
  • The keystore password is a randomly generated 16-digit string that uses characters from the following character set: A-Z, a-z, 0-9, @, ?, ^, -, _. The key password is the same as the keystore password, which is required by PKCS12 keystore specifications.
  • The keystore password is base64-encoded and stored in the ZAIOPS_ZOASVC_PASS variable in the ZOA_HOME/zoa_env.config file.
  • To further increase the security, the ZOA_HOME/zoa_env.config file permissions are set to 400 to limit the access of the encoded password information to superusers and the user ID that generates the password.