Custom truststore

A truststore is used to define the (self signed) certificates that the Onegini Token Server can trust when creating SSL connections. This includes connections to external systems / a database and, if applicable, the server's own certificate configured via the keystore.

It is possible to run the Onegini Token Server container with a custom truststore.

This page is divided into the following sections:

Create folder

Before we can use the truststore, we need a folder to store the truststore file. This folder will be mounted to the Onegini Token Server container later on.

mkdir -p /opt/onegini/data/truststore

If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:

chcon -Rt svirt_sandbox_file_t /opt/onegini/data/truststore

Generate truststore

Generate truststore by importing certificate(s) you want to trust.

keytool -importcert -file clientCert.pem -alias token-server -keystore truststore.jks

Once prompted, enter the truststore password. It needs to be provided to application via TOKEN_SERVER_TRUSTSTORE_PASSWORD environment variable as described later.

If you would like to trust imported certificates in addition to generally trusted RootCAs, you have to use (a copy of) default truststore as a base. Typically default truststore is located under <java-home>/lib/security/jssecacerts or <java-home>/lib/security/cacerts.

Copy

Now we can copy the truststore to the folder we created.

cp truststore.jks /opt/onegini/data/truststore/truststore.jks

Grant access

Before we can use the truststore in the Onegini Token Server container we need to give the onegini user access to the truststore.

chown -R onegini:onegini /opt/onegini/data/truststore

Start container

Mount your local directory /opt/onegini/data/truststore as volume /opt/data/truststore.

This is how you configure the mapping in docker-compose:

engine:
  volumes:
    - "/opt/onegini/data/truststore:/opt/data/truststore"
  ports:

and edit the following Docker Compose environment variables:

TOKEN_SERVER_TRUSTSTORE_ENABLED=true
TOKEN_SERVER_TRUSTSTORE_PASSWORD=<YOUR PASSWORD>

Apply the same settings to the admin docker service. Restart the containers.