Specifying a keystore for FlexDeploy to use

If you need to add certificates for any local connections, perhaps a self-hosted Jira or Service-Now server, you may want to follow this guide.

Background

FlexDeploy runs on Tomcat, so we want to adjust the Tomcat settings to allow us to set our keystore. You could also just use the default cacerts store, but then when you upgrade Java, the changes will be lost. This will allow you to upgrade Java and not lose your certs. However, this means that the cacerts will need to be imported from the cacerts file, and that should be repeated each time Java is updated in case the cacerts were modified.

Process

1 Create the Keystore as a copy of your current cacerts.

keytool -importkeystore -srckeystore <cacerts_path> -srcstorepass <cacerts_pass> -destkeystore <new_keystore_path> -deststorepass <new_keystore_pass> -v -noprompt

 

2 Import into that all your special certificates for on-prem servers that don’t chain to a root CA that is in the cacerts. Make sure that the aliases are unique.

keytool -importcert -keystore <new_keystore_path> -storepass <new_keystore_pass> -file <cert_file> -alias <alias>

 

3 Modify the setenvoverride.sh file.

Find the FLEXAGON_FD_JAVA_ARGS line.

FLEXAGON_FD_JAVA_ARGS="-Djavax.net.ssl.keyStore=/<new_keystore_path> -Djavax.net.ssl.keyStorePassword=<new_keystore_pass>”

If other Java args are present, keep both those and these new ones. Separate them with spaces.

 

Updating it after Java update

Repeat the import from cacerts into the keystore.

The following macros are not currently supported in the footer:
  • style