security parameter

Use the security parameter for SSL configurations to specify the trust store for Sterling™ Order Management System Software containers.

By default the Sterling Order Management System Software containers trust the java CA certs.

The following .yaml file is a sample schema of security.

  security:
    ssl:
      trust:
        # storeLocation: ""
        # storeType: PKCS12
        # trustJavaCACerts: true
        # trustedCertDir: ""

The following table explains the attributes applicable for security parameter of OMEnvironment.

Table 1. Properties for `security`
Property	Default value	Value type	Required	Description
`ssl.trust.trustedCertDir`		string	No	Specify the directory in shared volume, which contains the certificates that Sterling Order Management System Software containers should trust. The importing of certificates is a CPU intensive task, hence this feature is recommended to be used when you have only a few certificates to import.
`ssl.trust.storeLocation`		string	No	Specify the path to the JVM TrustStore. Ensure to pass the TLS TrustStore password is provided under `stringData.trustStorePassword` attribute of the secret. For more information, see Create a Secret.
`ssl.trust.storeType`	`PKCS12`	string	No	Specify the type of truststore. Available options are `PKCS12` and `JKS`.
`ssl.trust.trustJavaCACerts`	`true`	boolean	No	Set the value to true if you want the servers to trust the default Java CA certificates.

SSL configurations for securing external connections

Note: The connection between the client and the ingress must be always on https instead of http.

When exchanging data, there are situations where your application or agent servers need to communicate with an external or a third-party service over secure protocols such as HTTPS for leveraging certain capabilities. At times, some services require mutual authentication (mTLS) to securely exchange data. To enable trust with the external services and establish a successful secure connection, you need to configure SSL certificates in application and agent servers. The Sterling Order Management System Software Operator provides following properties to configure the SSL certificates for your application and agent servers.

Trusting external server certificates
To trust an external service from your application or agent servers, the Sterling Order Management System Software Operator provides the following options.
- Using default java trusted certificates
  By default, the application trusts all the CA certificates bundled with the JRE. Any certificate signed with a globally recognized CA is trusted. In case you do not want your servers to trust the certificates in default Java TrustStore, set the value of ssl.trust.trustJavaCACerts property to False.
- Using a custom TrustStore
  This option provides you the flexibility to trust the specific services with which your application must establish SSL connection. You can create your own TrustStore by using the keytool command of JDK in p12 format. Copy the newly created TrustStore to the Persistent Volume and provide the complete path to the TrustStore with respect to the volume mounted within the pod in the custom resource parameters by using ssl.trust.storeLocation. Also, add the password for this TrustStore in the secret that is created as a prerequisite provided in Creating a secret, with the key trustStorePassword.
  
  For example, if the TrustStore is present in the Persistent Volume at certs/truststore.p12, set the value of ssl.trust.storeLocation property to /shared/certs/truststore.p12.
- Using a directory containing trusted certificates
  This option provides you the ability to pass trusted server certificates as PEM files in the Persistent Volume. Provide the path to the directory that contains the trusted certificates in the custom resource parameters by using ssl.trust.trustedCertDir. The application and agent servers already use the default Java TrustStore.
Note: In Sterling Order Management System Software Operator version 1.0.1 and higher, the ssl.trust.storeLocation and ssl.trust.trustedCertDir parameters act independently. In earlier versions, these parameters were mutually exclusive.

Note: If you add a new certificate to the TrustStore, ensure that you perform a rolling update of application and agent servers so that the new certificates are considered.