On 11/28/2017 12:01 PM, Markovich via FreeIPA-users wrote:
Hello FreeIpa community!
I'm a bit confused about JKS "/etc/pki/java/cacerts".
Am I right, that default password for this JKS is "changeit"?
Can I change this password? If yes, shoud it be the same on all hosts connected to
FreeIpa?
Will it be problem later for FreeIpa? Should I somehow tell FreeIpa this password?
Also what is the best practice to tell java to trust FreeIpa CA?
Regards,
Andrey
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
in order to configure your truststore in a java application, you can either
- launch the java app with -Djavax.net.ssl.trustStore=/path/to/keystore
- define the value in the java code with
System.setProperty("javax.net.ssl.trustStore", "/path/to/keystore")
- if javax.net.ssl.trustStore is not defined, then java will look in
$java-home/lib/security/jssecacerts or $java-home/lib/security/cacerts
(see JSSE Reference Guide [1]).
If you are using openJDK for instance, $java-home/lib/security/cacerts
is a link to /etc/pki/java/cacerts. The default password is "changeit",
and this keystore can be modified using update-ca-trust(8).
I don't think that FreeIPA is relying on this file. For instance Dogtag
(the CA component) is running inside Tomcat and is using
/etc/pki/pki-tomcat/alias which is a NSS database.
Flo
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSE...