Java Trusted Authority Certificate File Settings
The trustedjksname parameter defines the file that contains the list of certificate authorities that are trusted when validating a certificate.
All certificates are issued by Certificate Authorities (CA). When you want to validate a certificate, in addition to validating the certificate itself, you must ensure that the CA that issued the certificate is valid as well.
By default, Java has a trustedjksname file that contains a group of common Certificate Authorities. The file name is cacerts and this file is contained in the JRE runtime library under the …lib/security directory. In many, if not most cases, the Certificate Authorities that are contained in the default Java certificate file are sufficient, and no further work needs to be done. In this case, you can let the trustedjksname parameter default. Java then pick up its default trusted Certificate Authority file called: …lib/security/cacerts. You should however, specify the trustedjkspwd file to define the password of the default certificate file. This can be done in clear text in the Global.xml file or encrypted by the EncryptPassword action command.
In cases where the server certificate is not issued by one of the default trusted authorities, you have to add the Server certificate to the Java Trusted Certificate Authority file (cacert). To do this, you must have the Server CA certificate in Base64 format. Then you can issue the following Java command to add this certificate to the trusted certificate authority file:
keytool -import -keystore c:\program files\java\jre1.8.0_66\lib\security\cacerts -alias MFTCommandCenterServerKey -file cacert.file -storepass changeit
Descriptions for parameters in this command are as follows:
- -keystore: specifies the name and location of a keystore. You should point to the default Java keystore.
- -alias: this is the unique name for this certificate key. If you do not specify this parameter there is a default value of mykey assigned.
- -file: contains the certificate file name in Base64 format.
- -storepass: specifies the password for the cacerts keystore. This is the password that you must configure as trustedjskpwd within the TIBCO MFT Internet Server Global.xml file. The default password is “changeit”.
After entering the command, you are prompted to confirm the request. After confirming the request, the certificate is added to the trusted certificate authority file. Now, when your client makes a request to TIBCO MFT Internet Server the certificate of TIBCO MFT Internet Server authenticates correctly.