Default certificates and keystores for the software containers
The dockerDeployZoa.sh and podmanDeployZoa.sh scripts
generate a set of self-signed certificates, keystores, and truststores when you install the OCI
images for the software containers. These certificates, keystores, and truststores are stored in an
OCI volume that is shared among the software containers. For reference, an encoded copy is also
stored on the Docker or Podman host system in the
ZOA_HOME/zoasvc.tls file.
To keep the software containers running normally, do not remove the
zaiops_shared OCI volume. The automatically generated TLS artifacts include the
following certificates, keystores, and truststores:- rootCA.crt
- Contains the root certificate, which is required to establish an X.509 certificate authority for internal authentication.
- zoasvc.crt
- Contains the certificate for the common services (such as Apache Kafka, the authentication service, and the gateway service).
- zoasvc.key
- Contains the private key that is used to secure the zoasvc.crt file.
- zoasvc.ks
- Contains the keystore in PKCS12 format. It contains the contents of both the zoasvc.crt and zoasvc.key files.
- zoasvc.ts
- Contains the truststore in PKCS12 format. It contains the contents of the zoasvc.crt file only.
The certificates, keystores, and truststores must be managed with the following commands:
- Docker
- dockerManageZoa.sh config-certificates
- Podman
- podmanManageZoa.sh config-certificates
Important:
- The certificate alias that is used in the keystore and the truststore is
zoa-services. - The keystore password is a randomly generated 16-digit string that uses characters from the
following character set:
A-Z, a-z, 0-9, @, ?, ^, -, _. The key password is the same as the keystore password, which is required by PKCS12 keystore specifications. - The keystore password is base64-encoded and stored in the
ZAIOPS_ZOASVC_PASSvariable in the ZOA_HOME/zoa_env.config file. - To further increase the security, the ZOA_HOME/zoa_env.config file permissions are set to 400 to limit the access of the encoded password information to superusers and the user ID that generates the password.