Custom keystore

This section covers configuring a custom keystore for the Token Server used for the SSL listener. It's divided into the following subsections:

Migrate cert and key to keystore

If you have already a key and cert. You can transform this cert and key in to a java keystore as followed

  openssl pkcs12 -export -in cert.pem -inkey key.pem > keystore.p12
  keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12

Make sure that the keystore password and alias password is the same.

Generate new keystore

Java keystore

It is possible to run the Onegini Token Server container with a custom keystore.

Create folder

Before we can use the keystore, we need a folder to store the keystore file. This folder will be mounted to the Onegini Token Server container later on.

mkdir -p /opt/onegini/data/keystore

If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:

chcon -Rt svirt_sandbox_file_t /opt/onegini/data/keystore

Generate keystore

Perform the following command to generate the keystore.

keytool -genkey -alias tokenserver -keyalg RSA -keystore keystore.jks

Once prompted, enter the information required to generate a CSR.

Copy

Now we can copy the keystore to the folder we created.

cp keystore.jks /opt/onegini/data/keystore/keystore.jks

Grant access

Before we can use the keystore in the Onegini Token Server container we need to give the onegini user access to the keystore.

chown -R onegini:onegini /opt/onegini/data/keystore

Start container

Now add the following line to the docker-compose.yml

tokenserver:
  volumes:
    - "/opt/onegini/data/keystore:/opt/data/keystore"
  ports:

and edit the following Docker Compose environment variables:

TOKEN_SERVER_KEYSTORE_PASSWORD=<YOUR PASSWORD>
TOKEN_SERVER_KEYSTORE_ALIAS=<YOUR SSL KEY ALIAS>

Restart the container with docker-compose