Configuring secure connections (10.1 release)

Release 10.1 (Beta)

Post-migration, configure secure connections, proceed as follows,

  1. Go to the <liberty_directory>/usr/servers/<instance_name>/resources/security directory by using the following command.

    cd <liberty_directory>/usr/servers/<instance_name>/resources/security
  2. If using default keystore key.p12, complete the following steps.
    • Export the public certificate of the Liberty server. The alias default is created by default by Application Server.
    • The default password used by keystore is mobilefirst.
    • If using any custom alias and password modify the parameters appropriately in the following command. 
      keytool -exportcert \
-alias default \
-keystore "key.p12" \
-storetype PKCS12 \
-storepass "<storepass>" \
-rfc \
-file "<file_name>.crt"

  3. Create trust.p12 and import the Liberty Server public certificate by using the following command.

    keytool -importcert \
-noprompt \
-trustcacerts \
-alias default \
-file "<file_name>.crt" \
-keystore "trust.p12" \
-storetype PKCS12 \
-storepass "<trustpassword>"

  4. Import third-party certificates (if any).

    Import any additional third-party certificates (for example, FCM) by using the following command.

    keytool -importcert \
-noprompt \
-trustcacerts \
-alias <ALIAS> \
-file "<file_name>.crt" \
-keystore "trust.p12" \
-storetype PKCS12 \
-storepass "<trustpassword>"

  5. To ensure compatibility with external services and certificate chains, import Java cacerts into the trust.p12 by using the following command.

    The default password is changeit.

    keytool -importkeystore \
-srckeystore "$JAVA_HOME/lib/security/cacerts" \
-srcstoretype JKS \
-srcstorepass "<storepass>" \
-destkeystore "trust.p12" \
-deststoretype PKCS12 \
-deststorepass "<trustpassword>" \
-noprompt

  6. Update JVM options.

    Add the following parameters to the <liberty-instance-directory>/jvm.options file.

       -Djavax.net.ssl.trustStore=./resources/security/trust.p12
   -Djavax.net.ssl.trustStorePassword=<trustpassword>
   -Djavax.net.ssl.trustStoreType=PKCS12

  7. Add the following SSL configuration elements to <liberty_directory>/usr/servers/<instance_name>/server.xml if they are not already present.

    <ssl id="defaultSSLConfig" trustDefaultCerts="true" />
<keyStore id="defaultKeyStore" password="mobilefirst"/>
Last modified on