...
FlexDeploy runs on Tomcat, so we want to adjust the Tomcat settings to allow us to set our keystore. You could also just use the default cacerts store, but then when you upgrade Java, the changes will be lost. This will allow you to upgrade Java and not lose your certs. However, this means that the cacerts will need to be imported from the cacerts file, and that should to be repeated each time Java is updated in case the cacerts were modified.
Process
1 Create the Keystore as a copy of your current cacerts.
| Code Block |
|---|
keytool -importkeystore -srckeystore <cacerts_path> -srcstorepass <cacerts_pass> -destkeystore <new_keystore_path> -deststorepass <new_keystore_pass> -v -noprompt |
2 Import into that all your special certificates for on-prem servers that don’t chain to a root CA that is in the cacerts. Make sure that the aliases are unique.
| Code Block |
|---|
keytool -importcert -keystore <new_keystore_path> -storepass <new_keystore_pass> -file <cert_file> -alias <alias> |
3 Modify the setenvoverride.sh file.
...
| Code Block |
|---|
FLEXAGON_FD_JAVA_ARGS="-Djavax.net.ssl.keyStore=/<path-to-the-keystore-file here><new_keystore_path> -Djavax.net.ssl.keyStorePassword=<pw here>”<new_keystore_pass>” |
If other java args are present, keep both those and these new ones. Separate them with spaces.
Updating it after Java update
Repeat the import from cacerts into the keystore.
| Code Block |
|---|
keytool -importkeystore -srckeystore <cacerts_path> -srcstorepass <cacerts_pass> -destkeystore <new_keystore_path> -deststorepass <new_keystore_pass> -v -noprompt |