For secure communication with another process over HTTPS, add the public certificate of
the other process as a signer certificate to a Liberty truststore.
Documentation for the
transportSecurity-1.0
feature is available on the Open Liberty website.
About this task
Many variations exist in the way you can configure certificates and truststores. This procedure
covers only common configurations.
Procedure
-
Obtain the public certificate from the other process.
You can obtain the public certificate by using a web browser or open source tools. If you have
direct access to the keystore of the other process, the key can be extracted from it. Use one of the
following three methods. Steps might change slightly over time as browsers and open source tools are
updated.
-
Add the certificate to a Liberty
truststore.
-
Determine which file to modify.
Truststores are usually found in the resources/security path of the Liberty server. In the simplest default
configuration, the key.jks file functions as both the keystore and the
truststore.
Another common configuration consists of one file as a keystore, and another as a truststore.
Use of multiple truststores is possible. If you have this configuration, examine the server
configuration to determine which files are to receive the certificate.
If you previously received an error message in the messages.log file, the
error message might say which truststore needs to be updated.
-
Make a backup copy of the key file in case any problems occur.
-
Use the keytool command to add the certificate to the file.
keytool -importcert \
-file <certificate to trust> \
-alias <alias for the certificate> \
-keystore <name of the trustore> \
-storepass <password for the truststore> \
-storetype <type of the keystore>
In version 19.0.0.2 and earlier, use the following syntax. The -storetype option has a value of
jks.
keytool -importcert \
-file <certificate to trust> \
-alias <alias for the certificate> \
-keystore <name of the trustore> \
-storepass <password for the truststore> \
-storetype jks
-
Restart the server.