Custom keystore

A Java keystore is a repository of security certificates and their corresponding private keys. It can be used for encryption of SSL connections. It is possible to run the Onegini Token Server container with a custom keystore.

This page covers the configuration of a custom keystore used for the SSL listener. It is divided into the following sections:

Create a new Java keystore

This section describes how to create a new Java keystore. It is also possible to migrate an existing cert and key.

Create the folder

Before we can use the keystore, we need a folder to store the keystore file. This folder will be mounted to the Onegini Token Server container later on.

mkdir -p /opt/onegini/data/keystore

If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:

chcon -Rt svirt_sandbox_file_t /opt/onegini/data/keystore

Generate keystore

Perform the following command to generate the keystore.

keytool -genkey -alias tokenserver -keyalg RSA -keystore keystore.jks

Once prompted, enter the information required to generate a CSR.

Migrate an existing cert and key to the keystore

If you have an existing key and certificate you can transform these in to a Java keystore as follows:

openssl pkcs12 -export -in cert.pem -inkey key.pem > keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12

Make sure that the keystore password and alias password are the same.

Copy

Now we can copy the keystore to the folder we have created.

cp keystore.jks /opt/onegini/data/keystore/keystore.jks

Grant access

Before we can use the keystore in the Onegini Token Server container we need to give the onegini user access to the keystore.

chown -R onegini:onegini /opt/onegini/data/keystore

Setup the truststore

If the server's certificate is not trusted by the default certificates file (cacerts), setup a custom truststore.

Configuration

Mount your local directory /opt/onegini/data/keystore as volume /opt/token-server/engine/data for the engine.

This is how you configure the mapping in docker-compose:

engine:
  volumes:
    - "/opt/onegini/data/keystore:/opt/token-server/engine/data"
  ports:

and edit the following environment variables:

TOKEN_SERVER_KEYSTORE_PASSWORD=<YOUR PASSWORD>
TOKEN_SERVER_KEYSTORE_ALIAS=<YOUR SSL KEY ALIAS>
TOKEN_SERVER_KEYSTORE_ENABLED=true

Apply similar settings to the admin docker service if needed. The default directory for the keystore of the admin container is /opt/token-server/admin/data. Restart the container.