Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16571

Wrong suggestion for truststore settings

    XMLWordPrintable

    Details

    • Rank:
      1|i01oen:
    • AM 7 Must Doc
    • No
    • No
    • No
    • No (add reasons in the comment)

      Description

      In what is presently step 3 of https://ea.forgerock.com/docs/am/install-guide/prepare-configuration-store.html#prepare-ds-for-config, the suggestion when trusting connections to the external directory is to add a truststore to the Tomcat connector:

      truststoreFile="/path/to/tomcat-truststore.jceks"
      truststorePass="truststore_password"
      truststoreType="JCEKS"

      This, however, is for connection to Tomcat. When you set things up that way, AM cannot connect to DS over TLS.

      When AM is connecting from inside Tomcat over a secure connection to an external application, such as DS, the truststore needs to be available from inside Tomcat. For example, https://stackoverflow.com/questions/21833732/configure-truststore-in-tomcat.

      My hackaround on the laptop was to add options to tomcat/bin/catalina.sh before starting Tomcat:

      CATALINA_OPTS="-server -Xmx2g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m -Djavax.net.ssl.trustStore=/path/to/opendj/config/keystore -Djavax.net.ssl.trustStorePassword=TTSRp9nB3j4WtTeUh/ACiH9GvgGMoLArF87Lk29gZIirPFvDbrtB7VUXVTxXg41N1lU="
      

      That long generated password is the content of /path/to/opendj/config/keystore.pin.

      Maybe there's an AM truststore that I should've used instead.

        Attachments

          Activity

            People

            cristina.herraz Cristina Herraz [X] (Inactive)
            Mark Mark Craig
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: