Custom keystore
This section covers configuring a custom keystore for the Token Server used for the SSL listener. It's divided into the following subsections:
- Migrate cert and key to keystore
- Generate new keystore
- Copy
- Grant access
- Setup truststore
- Start container
Migrate cert and key to keystore
If you have already a key and cert. You can transform this cert and key in to a java keystore as followed
openssl pkcs12 -export -in cert.pem -inkey key.pem > keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12
Make sure that the keystore password and alias password is the same.
Generate new keystore
Java keystore
It is possible to run the Onegini Token Server container with a custom keystore.
Create folder
Before we can use the keystore, we need a folder to store the keystore file. This folder will be mounted to the Onegini Token Server container later on.
mkdir -p /opt/onegini/data/keystore
If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:
chcon -Rt svirt_sandbox_file_t /opt/onegini/data/keystore
Generate keystore
Perform the following command to generate the keystore.
keytool -genkey -alias tokenserver -keyalg RSA -keystore keystore.jks
Once prompted, enter the information required to generate a CSR.
Copy
Now we can copy the keystore to the folder we created.
cp keystore.jks /opt/onegini/data/keystore/keystore.jks
Grant access
Before we can use the keystore in the Onegini Token Server container we need to give the onegini
user access
to the keystore.
chown -R onegini:onegini /opt/onegini/data/keystore
Setup truststore
If the server's certificate is not trusted by default cacerts, setup a custom truststore.
Start container
Now add the following line to the docker-compose.yml
engine:
volumes:
- "/opt/onegini/data/keystore:/opt/token-server/engine/data"
ports:
and edit the following Docker Compose environment variables:
TOKEN_SERVER_KEYSTORE_PASSWORD=<YOUR PASSWORD>
TOKEN_SERVER_KEYSTORE_ALIAS=<YOUR SSL KEY ALIAS>
TOKEN_SERVER_KEYSTORE_ENABLED=true
Apply the same settings to admin
docker service if needed. Restart the container with docker-compose.