Menu Search

7.13. Truststores

Truststores have a number of roles within the Broker.

  • A truststore is required by a Port in order to support SSL client authentication.

  • Truststores have a optional role in end to end message encryption. The Broker acts as a Key Server so that publishing applications have convenient access to recipient's public keys.

  • Some authentication providers also use a truststore when connecting to authentication systems that are protected by a private issuer SSL certificate.

7.13.1. Types

The following truststore types are supported.

  • File Trust Store. This type accepts the standard JKS truststore format understood by Java and Java tools such as keytool.

  • Non Java Trust Store. A non java trust store accepts key material in PEM and DER file formats. Either a path to the certificate on the server can be specified using the file:// protocol or the certificate can be uploaded with the data:// protocol

  • Managed Certificate Store. This type accepts key material in PEM and DER file formats. Contrary to the Non Java Trust Store this store allows the user to add multiple certificates and stores them in the broker configuration.

  • Site Specific Trust Store. This type will download a certificate from the provided SSL/TLS enabled URL. Note that you must specify both the protocol and the port. Example: https://example.com:443

7.13.2. Attributes

  • Name the truststore. Used to identify the truststore.

  • Exposed as Message Source. If enabled, the Broker will distribute certificates contained within the trustore to clients. Used by the end to end message encryption feature.

The following attributes apply to File Trust Stores only.

  • Path. Path to truststore file

  • Truststore password. Password used to secure the truststore

    Important

    The password of the certificate used by the Broker must match the password of the keystore itself.

  • Certificate Alias. An optional way of specifying which certificate the broker should use if the keystore contains multiple entries.

  • Manager Factory Algorithm. In keystores the have more than one certificate, the alias identifies the certificate to be used.

  • Key Store Type. Type of Keystore.

  • Peers only. When "Peers Only" option is selected for the Truststore it will allow authenticate only those clients that present a certificate exactly matching a certificate contained within the Truststore database.

The following attributes apply to Non Java Trust Stores only.

  • Certificates. The cerificate(s) in DER or PEM format.

7.13.3. Children

None

7.13.4. Lifecycle

Not supported