A Java keystore is a repository of security certificates and their corresponding private keys. It can be used for encryption of SSL connections. It is possible to run the Onegini Token Server container with a custom keystore.
This page covers the configuration of a custom keystore used for the SSL listener. It is divided into the following sections:
- Create a new Java keystore
- Migrate an existing cert and key to the keystore
- Grant access
- Setup the truststore
Create a new Java keystore
This section describes how to create a new Java keystore. It is also possible to migrate an existing cert and key.
Create the folder
Before we can use the keystore, we need a folder to store the keystore file. This folder will be mounted to the Onegini Token Server container later on.
mkdir -p /opt/onegini/data/keystore
If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:
chcon -Rt svirt_sandbox_file_t /opt/onegini/data/keystore
Perform the following command to generate the keystore.
keytool -genkey -alias tokenserver -keyalg RSA -keystore keystore.jks
Once prompted, enter the information required to generate a CSR.
Migrate an existing cert and key to the keystore
If you have an existing key and certificate you can transform these in to a Java keystore as follows:
openssl pkcs12 -export -in cert.pem -inkey key.pem > keystore.p12 keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12
Make sure that the keystore password and alias password are the same.
Now we can copy the keystore to the folder we have created.
cp keystore.jks /opt/onegini/data/keystore/keystore.jks
Before we can use the keystore in the Onegini Token Server container we need to give the
onegini user access to the keystore.
chown -R onegini:onegini /opt/onegini/data/keystore
Setup the truststore
If the server's certificate is not trusted by the default certificates file (cacerts), setup a custom truststore.
Mount your local directory
/opt/onegini/data/keystore as volume
/opt/token-server/engine/data for the engine.
This is how you configure the mapping in docker-compose:
engine: volumes: - "/opt/onegini/data/keystore:/opt/token-server/engine/data" ports:
and edit the following environment variables:
TOKEN_SERVER_KEYSTORE_PASSWORD=<YOUR PASSWORD> TOKEN_SERVER_KEYSTORE_ALIAS=<YOUR SSL KEY ALIAS> TOKEN_SERVER_KEYSTORE_ENABLED=true
Apply similar settings to the
admin docker service if needed. The default directory for the keystore of the admin container is
Restart the container.