Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15342

Procedure to setup CA-signed cert should include updating openidm.https.keystore.cert.alias

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0, 6.5.0.4
    • Fix Version/s: 7.1.0, 7.0.1
    • Component/s: documentation
    • Labels:
      None

      Description

      In https://backstage.forgerock.com/docs/idm/7/security-guide/import-signed-cert.html
      You can use existing CA-signed certificates to secure connections and data
      ...
      If you specified an alias other than openidm-localhost for the new certificate, edit your secrets.json file to reference that alias.
      ...

      { "secretId" : "idm.jwt.session.module.encryption", "types": [ "ENCRYPT", "DECRYPT" ], "aliases": [ "my-new-key", "&\{openidm.https.keystore.cert.alias|openidm-localhost}

      " ]
      }
       

      • Jetty uses the cert referenced in boot.properties openidm.https.keystore.cert.alias (by default openidm-localhost).
      • If an alias other than "openidm-localhost" is used for CA-signed cert, openidm.https.keystore.cert.alias needs to be updated (otherwise Jetty still presents the openidm-localhost cert).
      • And if openidm.https.keystore.cert.alias is updated, there should be no need to update secrets.json..

        Attachments

          Activity

            People

            • Assignee:
              Lana Lana Frost
              Reporter:
              wei-yee.lum Wei-Yee Lum
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: