The Java Trusted Authority Certificate File

The trustedjksname parameter defines the file that contains the list of certificate authorities that are trusted when validating a certificate.

All certificates are issued by certificate authorities (CA). When you want to validate a certificate, in addition to validating the certificate itself, you have to insure that the CA that issued the certificate is valid as well.

By default, Java has a trustedjksname file that contains a group of common certificate authorities. The file name is cacerts and this file is contained in the JRE runtime library under the …lib/security directory. In many, if not most cases, the certificate authorities that are contained in the default Java certificate file are sufficient, and no further work has to be done. In this case, you can let the trustedjksname parameter default. Java will then pick up its default trusted certificate authority file called: …lib/security/cacerts. You should however, specify the trustedjkspwd file to define the password of the default certificate file. This can be done in clear text in the Global.xml file or encrypted by the EncryptPassword action command.

In cases where the server certificate was not issued by one of the default trusted authorities, you will have to add the server certificate to the Java trusted certificate authority file (cacert). To do this, you have to have the server CA certificate in Base64 format. Then you can issue the following Java command to add this certificate to the trusted certificate authority file: 

keytool -import
         -keystore c:\program files\java\jre1.8.0_66\lib\security\cacerts
         -alias MFTCommandCenterServerKey
         -file cacert.file
         -storepass changeit
Note: This command should be typed as a single line.
  • -keystore: specifies the name and location of a keystore.

    You should point to the default Java keystore.

  • -alias: specifies the unique name for this certificate key.

    If you do not specify this parameter, a default value of mykey will be assigned.

  • -file: specifies the certificate file name in Base64 format.
  • -storepass: specifies the password for the cacerts keystore.

    This parameter is the password that you must configure as trustedjskpwd within the TIBCO MFT Command Center Global.xml file. The default password is changeit.

After entering the command, you will be asked to confirm the request. After confirming the request, the certificate will be added to the trusted certificate authority file. Now, when your client makes a request to the TIBCO MFT Command Center server, the certificate of the TIBCO MFT Command Center server will authenticate correctly.