It is possible to run the Token Server container with a custom truststore. The truststore is used to define the certificates that the Token Server can trust when creating SSL connections to external systems or to a database.
Note that these steps can be preformed for either the engine and the admin container. From now on we'll use engine. If you're planning to do this for the admin, just replace engine with admin in the examples below.
This article is an extension on the documentation we currently have on this subject
By the default, in the 'engine' container you'll find a cacerts file on the following location:
Download truststore from docker container
Start the engine container.
Use the following command to 'download' the cacerts from the docker container:
$ docker cp <CONTAINER_ID>:/usr/lib/jvm/java-8-oracle-amd64/jre/lib/security/cacerts <LOCATION_ON_HOST_MACHINE>
Add the certificate to the truststore
Option 1: Use Java keytool
Browse to $JAVA_HOME/bin to run 'keytool' with the following parameters:
$ keytool -import -alias <ALIAS_OF_CERTIFICATE> -file <LOCATION_ON_HOST_MACHINE>/<CERTIFICATE_NAME> -keystore <LOCATION_ON_HOST_MACHINE>/cacerts
Option 2: KeyStore Explorer
Download and install KeyStore Explorer here.
- In the KeyStore Explorer quick start menu, click 'Open an existing KeyStore' browse to the location on the host machine where the cacerts file is located and open it.
- By default, cacerts is protected with a default password: changeit
- Click the 'Import Trusted Certificate' icon in the top bar, a pop-up screen appears.
- Select the certificate you want to add.
- Type the name of the alias in the text box and click 'OK'.
- Click the 'Save' icon in the top bar.
- Close the KeyStore Explorer.
Upload truststore to docker host
Now that we have added the certificate to the truststore, it's time to find a suitable location on the docker host to place the truststore.
Start the container with the updated truststore
Open the docker-compose.yml file and add a volume mount like this:
tokenserver: volumes: - "<LOCATION_ON_DOCKER_HOST>:/opt/data/truststore"
Also, in the JAVA_OPTS parameter add the following:
Now start the engine container with
docker-compose up -d engine