Keystores
If you set up your environment for SSL, you have to set up a keystore. As part of the process, you configure a keystore provider.
SSL uses keys and certificates when it establishes the secure connection. A keystore is a database of keys and certificates. A keystore password is required to access or modify the keystore.
Access to keystores is provided by a Keystore Provider resource instance. Keystores can be stored internally in Administrator or externally.
ActiveMatrix Administrator Default Keystore
In TIBCO ActiveMatrix access to keystores is provided by a Keystore Provider resource instance. When you create an Administrator server, TIBCO ActiveMatrix includes a default keystore provider resource template named tibco.admin.default.keystore that references the default keystore CONFIG_HOME/admin/amxadmin/shared/repo/trunk/artifacts/keystore/admin_default_keystore.jceks.
Keystore Entries
A keystore has two types of entries:
- Private key - holds a cryptographic private key, which is optionally stored in a protected format to prevent unauthorized access. The private key is accompanied by a certificate chain for the corresponding public key. Private keys and certificate chains are used by a given entity for self-authentication.
- Trusted certificate - contains a single public key certificate. It is called a trusted certificate because the keystore owner trusts that the public key in the certificate belongs to the identity identified by the subject (owner) of the certificate. This type of entry can be used to authenticate other parties.
Certificates of trusted entities are typically imported into a keystore as trusted certificates.
Keystore Entries and Aliases
Each entry in a keystore is identified by an alias. In the case of private keys and their associated certificate chains, these aliases distinguish among the different ways in which the entity may authenticate itself. For example, the entity may authenticate itself using different certificate authorities, or using different public key algorithms. An alias might be named after the role in which the keystore owner uses the associated key, or might identify the purpose of the key.