This section covers configuring a custom truststore for the Token Server.
It is possible to run the Token Server container with a custom truststore. The truststore is used to define the certificates that the Token Server can trust when creating SSL connection socket. This includes connections to external systems / a database and, if applicable, server's own certificate configured via keystore.
This section is divided into the following subsections:
Before we can use the truststore, we need a folder to store the truststore file.
This folder will be mounted to the
Onegini Token Server container later on.
mkdir -p /opt/onegini/data/truststore
If you are using SELinux, you need to give Docker access to this folder. To do this you can use the following command:
chcon -Rt svirt_sandbox_file_t /opt/onegini/data/truststore
Generate truststore by importing certificate(s) you want to trust.
keytool -importcert -file clientCert.pem -alias token-server -keystore truststore.jks
Once prompted, enter the truststore password. It needs to be provided to application via
TOKEN_SERVER_TRUSTSTORE_PASSWORD environment variable as described later.
If you would like to trust imported certificates in addition to generally trusted RootCAs, you have to use (a copy of) default truststore as a base.
Typically default truststore is located under
Now we can copy the truststore to the folder we created.
cp truststore.jks /opt/onegini/data/truststore/truststore.jks
Before we can use the truststore in the
Onegini Token Server container we need to give the
onegini user access
to the truststore.
chown -R onegini:onegini /opt/onegini/data/truststore
Now add the following line to the docker-compose.yml
engine: volumes: - "/opt/onegini/data/truststore:/opt/data/truststore" ports:
and edit the following Docker Compose environment variables:
TOKEN_SERVER_TRUSTSTORE_ENABLED=true TOKEN_SERVER_TRUSTSTORE_PASSWORD=<YOUR PASSWORD>
Apply the same settings to
admin docker service. Restart the containers with docker-compose.