Custom truststore
This section covers configuring a custom truststore for the Token Server.
It is possible to run the Token Server container with a custom truststore. The truststore is used to define the certificates that the Token Server can trust when creating SSL connections to external systems / a database.
This section is divided into the following subsections:
Create folder
Before we can use the truststore, we need a folder to store the truststore file.
This folder will be mounted to the Onegini Token Server
container later on.
mkdir -p /opt/onegini/data/truststore
If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:
chcon -Rt svirt_sandbox_file_t /opt/onegini/data/truststore
Generate truststore
Perform the following command to generate the truststore.
keytool -genkey -alias tokenserver -keyalg RSA -keystore truststore.jks
Once prompted, enter the information required to generate a CSR.
Copy
Now we can copy the truststore to the folder we created.
cp truststore.jks /opt/onegini/data/truststore/truststore.jks
Grant access
Before we can use the truststore in the Onegini Token Server
container we need to give the onegini
user access
to the truststore.
chown -R onegini:onegini /opt/onegini/data/truststore
Start container
Now add the following line to the docker-compose.yml
tokenserver:
volumes:
- "/opt/onegini/data/truststore:/opt/data/truststore"
ports:
and edit the following Docker Compose environment variables:
TOKEN_SERVER_TRUSTSTORE_ENABLED=true
TOKEN_SERVER_TRUSTSTORE_PASSWORD=<YOUR PASSWORD>
Restart the container with docker-compose
Import certificates
If the Onegini Token Server
needs to connect to a server with SSL certificates. You need to trust this server before
the Onegini Token Server
can make a connection. If you do not import this SSL certificates you will get a execption.
keytool -import -alias apple-push -file apple-push.crt -keystore truststore.jks